Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, February 15, 2005

Cybersecurity: It’s Dollars and Sense

Cybersecurity: It’s Dollars and Sense Few CEOs grasp the case for investing in safeguards against hackers, worms, and the like.

Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find—and even harder to apply.

Worse yet, most managers never learned how to calculate the value of—and communicate the business case for—cybersecurity.  Yes, I realize that overall spending on cybersecurity continues to increase every year.  Yet every executive I know is kicking and screaming about its cost along the entire way.

The sad reality is that every computer network has cybersecurity exposures.  This is due in large part to the fact that most software and computer systems focus on function, not security.  Security is bolted to computer systems using things like firewalls and intrusion-detection systems.

Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue.

Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly.  Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code—and every bug is an opening for hackers.  The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker.  These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them.

Attacks are also becoming increasingly automated, which compounds the problem.  Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion.

Most senior executives are aware of these cybersecurity issues.

The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities.  Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company.

Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger.  So what if a PC gets hammered by a worm?  It won’t kill the business, and the expense to clean it up will be minimal.

There’s a way to deal with this dilemma.

Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can’t ignore.

Asset protection: Most businesses recognize that they must protect their physical and intellectual assets.  For example, they can’t let someone steal their patents.

The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets.  If someone steals your customer- or product-development data base you could be put out of business.

Brand protection: Every CEO is concerned about the outfit’s brand.  CEOs can increase the perceived value of the company through the equity they build in their brands.  What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised?  What happens to the value of the brand—and to your stock price?

Compliance: Probably the strongest justification for investing in cybersecurity is that you don’t have a choice: It’s the law.,1759,1765331,00.asp

Posted on 02/15