April 6, 2010

To view the original article please click here.


Greg Piper, Washington Internet Daily, 04/06/2010

Only an appeal to the bottom line will get the attention of executives when discussing cybersecurity, experts said Wednesday in releasing a report intended as a guide for helping businesses evaluate and respond to cyber risk in financial terms. The Internet Security Alliance and American National Standards Institute, with participation from several tech vendors, law firms and government agencies, developed the free guide in response to President Barack Obama’s call for an industry “action plan” in the White House Cyberspace Policy Review last year. The ISA-ANSI plan has been endorsed by the former official who led that review, Melissa Hathaway, who recently said the U.S. has lost “urgency” since her report debuted (WID Feb 10 p1).

ISA was skeptical about the National Strategy to Secure Cyberspace undertaken by President George W. Bush and “we were probably correct” that it failed, with over a trillion dollars lost in 2008 to breaches affecting companies’ intellectual property, said Alliance Chairman Larry Clinton at an event in Washington Wednesday. Despite a rise in cyberattacks, companies are largely holding steady or decreasing their spending on cybersecurity, he said.

Every part of an organization has data but the American attitude is that the IT department, “traditionally starved for resources,” has responsibility to secure everything, Clinton said. All the economic incentives favor those making cyberattacks, which are easy and cheap to pull off, have a high payoff and a  minuscule” chance of getting caught. The return on investment is vague, and “even if I do a good job investing … your lack of security” negates the benefits of cybersecurity spending, he said. Justin Somaini, chief information security officer at Symantec, a report sponsor, said the company last year released 2.7 million signatures to block malicious code, more than all signatures combined in its previous 25 years. About a third of attacks targeted the public sector, and 10 percent, finance, he said, calling the varying defenses put up by businesses “digital blood in the water.”

The “human element” can’t be overlooked in cybersecurity, said Joe Buonomo, CEO of Direct Computer Resources, who co-led working groups to devise the report. “A secretary shouldn’t be writing passwords down on Post-It notes,” and CEOs should “once in a while walk around their operation and do some shoulder-surfing” to see what employees are browsing, he said: “I think they’ll be unpleasantly surprised.” If Google can suffer massive breaches traced to China, no company is safe, he said — but “formulas that are readily available” can help companies evaluate and quantify their risk. The right insurance and software can mitigate much risk, Buonomo said.

The report is geared toward chief financial officers, 95 percent of whom aren’t involved in managing their companies’ information security risks. Only 17 percent  f corporations in a Carnegie Mellon University study had a cross-organizational privacy and security team, and of roughly half who had a formal enterprise risk management plan, only a third of those plans included IT risks, the report said. It’s widely agreed that most attacks are preventable — a Verizon study said 87 percent of breaches could be preempted by “reasonable security controls.”

A much bigger threat than external intrusion is insider attacks — employees vulnerable to “social trickery, persuasion, coercion, personal weakness and lapses in integrity,” the report said. It called this variable “the greatest wildcard” and one that demands the CFO’s personal involvement. It’s crucial to draw talented cybersecurity experts to companies and pay them commensurately — those with both financial and computer science backgrounds, or experience in multiple markets, are more valuable than those with more narrow training, the report said. It also deals with managing legal and compliance issues, operations and technology, external communications and “crisis management,” and financial risk transfer and insurance.

Clinton said he disagreed with re-engineering the Internet architecture to better trace attacks and provide more regulatory oversight over systems and networks, as proposed by former Director of National Intelligence Mike McConnell in a recent congressional hearing (WID Feb 24 p1). The best U.S. defenses historically have been two oceans, which are “virtually irrelevant in the Internet world,” where attacks are constant, Clinton said. The answers to the problem are known: “We’re just not doing it.” The government’s role in cybersecurity should be similar to the Food and Drug Administration’s in approving drugs — determining what works and providing incentives to companies who follow rules proven to work, such as bigger Small Business Administration loans and procurement reform for military contractors, he said. The cybersecurity bill by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., has much improved in the past year from a regulation-focused effort to something more in line with the alliance’s view, Clinton said. The bill passed the committee last week (WID March 25 p1).

The key is showing corporations that they will maximize shareholder value, as they’re legally obligated to do, by securing their systems, Clinton said. Brad Gow, senior vice president of specialty errors and omissions at insurer Zurich North America, said catastrophic breaches in one industry, such as retail, often are followed by “waves” of businesses buying cybersecurity insurance who fear taking a multimillion-dollar hit. The “taxonomy” of cybersecurity must change from technical jargon to “fiscally oriented” terms that CEOs and CFOs understand, Somaini said. “It only takes reallocating some budget money around,” Buonomo said: “It’s not rocket science.”