Source:Deloitte Development LLC

How to talk to senior executives about the realities of the evolving cyber security landscape.

Despite increasing attention to security in the press and the boardroom, the security capabilities in many companies have not kept pace with a rapidly changing world. IT leaders can help ensure that their colleagues on the business side are focusing on the right issues in determining how and where to invest in cyber security.

Busy senior executives cannot focus on all parts of the organization in detail. But many don’t know enough about how changes in the company and the business environment are creating new challenges for security. Most executives’ views of security are informed by two primary means. The first is the concerns of auditors and regulators (a compliance-driven view); the second is media reports about threats (a reactive view). While these views are legitimate, the resulting approaches to security sometimes fail to address the most serious risks posed to the organization. Compliance, although essential, does not always equal security, and simply reacting to events reported in the media may cause a loss of focus. Indeed, such views and approaches are partly why the evolution of security has not kept pace with that of the environments whose risks must be managed.

CIOs know that they must play an essential role in ensuring that cyber security is being appropriately addressed, and that sufficient resources are made available. The goal today is no longer simply convincing other C-suite executives that cyber security is worthy of increased funding. Instead, CIOs must give their business colleagues enough understanding of the rapidly evolving cyber threat landscape so that they are willing to invest in security without feeling they are overspending.

This article—the first in a three-part series on cyber security—provides an overview of the changing landscape that mandates a new horizon in the evolution of cyber security. We also offer advice on how to make this issue relevant to business colleagues. The second article in this series will examine cyber security in a borderless world while the third article asks you to consider whether your IT security approach is up to the task of addressing today’s threats.

Educate Leaders About What Has Changed

What has changed over the past few years to make the compliance-driven and reactive views of cyber security inadequate? In short, a lot. Mobile devices, social media, cloud computing, and other developments have enabled new ways of working while disrupting the IT environment. Large volumes of unstructured data and collaborative computing platforms have made IT infrastructure at many enterprises a rapidly changing work in progress. These changes have occurred at breakneck speed, dictated by the needs of the business, the development of IT, and the speed of adoption by users. In many companies, security has not kept up with these business changes.

This increasingly porous environment presents a ripe target for the growing number of cyber criminals, hackers, corporate spies, activist attackers, and intellectual property (IP) pirates aiming to exploit opportunities created by inadequate security. Cyber crime is growing in part because it’s a low-risk, high-reward endeavor, providing outsized profits with minimal chances of detection. An underground “support system” now offers data acquisition, systems access, identity theft, and malware creation, among other services, to facilitate cyber crime. The picture includes organized crime and cyber terrorism, both considered growing threats.

Often, these “bad actors” are more motivated, adaptive, and skilled than the users and security professionals in the average enterprise. They understand emerging technologies and use that knowledge to gain undetected access to systems and to navigate them as legitimate users would—though to less benign ends. They seek the path of least resistance, for instance targeting enterprises that have not adequately protected essential systems and data, and they face neither the time nor budgetary constraints that limit security functions.

They also know how to exploit the vulnerabilities presented by new business models and processes. For instance, they can infiltrate the “seams” of extended enterprises that rely on independent contractors, joint venture and channel partners, and other third parties with system access. Companies with extended enterprises, including various third-party business partners, may at times not know who has access to what data and systems at which points. At those times and points, attackers armed with keystroke scanners and other technologies can access data, skim fractions of the value of transactions, misdirect users to their own sites, and gain access to accounts.

Make it Relevant

In presenting these facts to C-suite executives, it is important to relate the business case for cyber security to each executive’s needs. Many business executives are uncomfortable with cyber security. They know it is a big risk, yet are unsure what questions to ask. And they cannot invest the time and attention into learning the intricacies of security. So, like other specialties in the company, they delegate security to experts.

However, every C-level executive holds a stake in cyber security. Some executives will engage if IT people can make it relevant. Start by asking questions that can lead to thoughtful discussions. In general, what types of information are more (or less costly) if breached? What processes are more (or less) costly if they fail? What is the tradeoff if a highly secure approach means a project is cancelled, redesigned, or delayed?

The business case for security should consider the value and vulnerability of the assets to be protected, but it’s easy to underestimate both. While the importance of customer data and IP assets is widely recognized, other assets also require protection. These include employee, pricing, and sales data; contracts with customers, suppliers, and business partners; payables and receivables data; email and legal documents; and most other assets in digitized form—including financial and banking information.

Listen and advise, while gathering information. To make the business case, assess the value of key assets in each executive’s area and their potential vulnerability. Explain how they could be stolen, copied, or corrupted by specific methods of attack, such as malware and remote readers. Describe the reasons that IT puts controls on new technologies and tries to limit exceptions to policy. Then discuss ways and means—and costs and benefits —of protecting the unit against a cyber attack. 

Keep Talking

Government regulatory activities and corporate risk management activities are now at extremely high levels. Their attention to information security and sensitive data protection has never been greater. Coupled with the pervasive role of IT, the high value of IT assets, and the rapid rise of cyber crime, this is an ideal time to press the case for maintaining, or increasing, your organization’s investment in cyber security. Business executives know they need to pay more attention to security. CIOs can best make their case by helping those executives feel comfortable having the security discussion.

—by Irfan Saif, principal, Deloitte Center for Security & Privacy Solutions, and George Westerman, research scientist, MIT Sloan Center for Digital Business