Information security today is seriously big business. While cybercriminals are making hay on the black market with stolen identities and records, cybersecurity breaches are also clearly costing companies much more than before.
According to the Ponemon Institute's recent annual report, the cost of a data breach rose to $3.5 million in 2013. Companies lose an average of $145 per compromised record, according to annual Cost of Data Breach Study, while the average cost of a data breach rose 15% last year to $3.5 million.
Anyone that still dismisses information security as just an IT issue is delusional. Just the simple mention of the leading US retailer Target should send shivers down the spines of CEOs everywhere.
A total of 70 million records stolen that included the name, address, email address and phone number of Target shoppers. The cost to credit unions and financial institutions for reissuing the 21.8 million cards is estimated at $200 million, plus $100 million for Target to upgrade systems and payment terminals.
Who's to blame?
Profits fell 46% in Q3 of 2013 compared to the previous year, which all ultimately resulted in not only the CIO being axed but even the CEO was made to pay the ultimate price of this security failure.
Security leaders and experts noted at the annual InfoSecurity Conference organized by Computerworld Hong Kong and e21 MagicMedia, that security is today the responsibility of all business leaders.
Despite the critical nature of information security today, the role of chief security officer or chief information security officer is not as common as one would expect.
According to Amar Singh, former CISO at News International, information risk & GRC expert based in UK, there is huge demand today in Europe and US for CISO roles but the role is still seeing significant change. 'We're seeing the emergence of chief privacy officers and chief risk officers that are assuming much more responsibility for information security," said Singh during a panel discussion with IT leaders on day two of the conference.
He noted that security is now moving out of the IT domain which is a good sign as in the past, anything that involved information security immediately became pigeon holed in IT.
"It doesn't matter what you call it [the role] today, there is a clear demand for a person who can save the ship from sinking," said Singh.
IT at heart of security
Fellow panel speaker, Ted Suen, head of IT at MTRC, believed that IT will remain heavily involved in information security but that the growing involvement by other business leaders is critical to better security in the future.
Information is such a critical asset in business today, it can be a key differentiator for a bank and it can help derive unique insight into a customer, protection of that data is absolutely vital to company livelihood.
"The challenge is how to get the organization to create a more holistic view of data and security," said Suen. At MTRC the structure is in place with IT heading the information security committee which draws on key stakeholders from across business to ensure adequate awareness and broad business involvement.
"However the concern is whether smaller businesses have the necessary approach and structure to support information security properly given the information-centric era we live in today," said Suen.
"But in my mind there is no one person that can handle all security issues--a company may have a CSO and he or she may run the security department but they will need many different experts from different parts of the business to do the job effectively," he added.
At global environmental services group Veolia, information security is handled by the CIO, while physical security is managed by the director of security. Interestingly the two departments rarely work together when it comes to information security but Lenny Baptiste-Conil, risk & business continuity manager at Veolia, predicted these two functions would see increased collaboration in future.
The physical security function covers safety of assets, buildings but also people. Where people are concerned then information becomes a major focus and that is clearly in the realm of IT.
Baptsiste-Conil also pointed out that the director of security actually has a direct reporting line to the company's CEO, reflecting the critical nature of that area of the business. While the person in charge of information security did not have that same level of CEO access, he raised the possibility of this changing in future.
The company nature will also dictate the level importance of data security, noted Baptiste-Conil. "If your business is in technology or if you're a bank then it makes sense to give a higher profile for information security and have direct report to the CEO."
On the issue of whether CEOs should take the fall for major security breaches, the speakers had similar replies. It really depends on the data being exposed or impacted. If the risk or breach is around internal information then the customer reaction is not so great and therefore business impact is reduced.
"Customers will not desert the company if a few patents are lost," said Baptsiste-Conil. "But if the breach is around customer data and it's clear that leadership neglected their duties as the leaders of the organization then it may be fair that the CEO is to go."
For Fuller Yu, who effectively heads up the security function at AIA Group, he noted that it's not always necessary to have the CEO be heavily involved in information security initiatives. But the expectation today is for critical information security issues that have business impact to be an agenda item during board meetings.
"As a CIO it's important you are feeding critical security information to the business leaders and to communicate this in the correct terms around risk and financial impact," said Yu, who is head of Technology Risk Management at the group.
Security tips for marketing
One area of the business which is seeking more information security insight is marketing. There is a clear trend of growing IT spending by marketing departments as they seek digital marketing tools, analytics and cutting edge applications in an effort to improve customer engagement.
Singh questioned whether, as CMOs become in some cases the biggest spenders on technology, they will be aware of all the risks. "Some of the least security-aware people I have come across have been in marketing so the challenge is educating marketing of the heightened risks involved as they get more involved in digital commerce and digital engagement," he added.
Singh expects the security role to evolve into a hybrid role involving a combination of risk, privacy, security and compliance. "Whether it all comes under one person or a combination of people, marketing leaders and business leaders will increasingly require strong guidance on security issues," he said.
The challenge here for security and IT leaders is making the message heard. Yu at AIA stressed the need to speak in the language of the business leader whether he is from marketing or another line of business. "Ask the CMO what is critical to the brand and explain the things they should do to protect that brand," said Yu. "Focus on helping them achieve their goals, that's the way to create a winning partnership."