Wikibon calls for security to become a board-level issue
Siloed organizations, lack of awareness of the value of data and the growing inevitability of attack are holding organizations back from taking a coordinated approach to information security, writes Wikibon Chief Research Officer David Vellante in a new report on Wikibon.com (membership required).
Organizations have historically focused on perimeter defenses and keeping attackers out, but that strategy is impractical today, Vellante writes. Most security experts agree that breaches are now a given, meaning that CIOs need to concentrate on isolating and containing attacks to avoid broader infiltration into the corporate network.
Vellante identifies several shortcomings of the security strategies Wikibon has seen in the companies it has studied:
Lack of board-level awareness – Security is often seen as a technology problem that is left to technologists to solve. But security is everyone’s problem because data breaches impact the entire company. “Organizations must structure security as a shared responsibility with a combination of tech experts, audit/compliance, the general counsel, lines of business heads and the board of directors all sharing the burden,” Vellante writes.
Organizational silos – Security tools tend to be applied narrowly within departments or divisions rather than across the organization. This creates vulnerabilities because attackers typically penetrate a single entry point and then fan out across a network. Wikibon has estimated that it often takes more than 200 days for an organization to even realize that it has been compromised.
Failure to set priorities – Too many security organizations treat every breach as the same. Response strategies are often defined by chronology rather than severity. A better strategy is to categorize threats by risk and value of the data. But many organizations treat all data as the same. This leads to uncoordinated and ineffective response.
Vellante says it’s time for Information security to become a board level issue. This will require a proactive effort by CIOs and chief information security officers (CISOs) to sell the business value of security and define threats and responses in terms that board members can understand, rather than talking over their heads.
Former U.S. Secretary of Defense Dr. Robert Gates summed up the issue succinctly in an interview on theCUBE (below): “There is no question in my mind that when it comes to risk, for most companies today, cyber is right up there with natural disasters,” he said.
Image by Yuri Samoliov via Flickr CC
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU