Embed Size (px)
Citation preview
9/16/16, 1:29 PMHow much security is enough?
Page 1 of 5http://fedscoop.com/how-much-security-is-enough
September 16, 2016
How much security isenough?Commentary: With a CISO on their board ofdirectors, organizations could gain a betterunderstanding of the cyberthreats their systemsface.
BIO
By JR ReaganMAY 13, 2016 1:00 PM
(iStockphoto)
CYBERSECURITY
So, you've assumedcompromise. Nowwhat?
CYBERSECURITYNSA: no zero dayswere used in anyhigh profilebreaches over last24 months
HOUSE OFREPRESENTATIVES
Election systemssafe fromcyberattacks,experts believe
PRIVACY
White House callsfor updated senioragency privacypositions
RELATED ARTICLES
NEWS EVENTS TV RADIO PEOPLE SUBSCRIBE CHANGE SCOOP !"
SUBSCRIBE CONNECT WITH US
9/16/16, 1:29 PMHow much security is enough?
Page 2 of 5http://fedscoop.com/how-much-security-is-enough
Not long ago, a chief risk officer might often have felt like a salmonswimming upstream. Also known, tongue in cheek, as “businessprevention officers,” CROs for many years may have been relegated tothe sidelines, their advice lost in the press of doing business,University of Maryland business professor Clifford Rossi wrote inAmerican Banker.
But large-scale “black swan” events in recent years demonstrated toorganizations the perils of leaping after business capital without firsttaking a long, hard look at risk. As a result, CROs have gainedenormously in respect and prestige, no longer seen as “businesspreventers” but as “business protectors” who are essential to success.
The risk profession has come into its own. A number of organizationshave increased their risk-management budgets, some by as much as100 percent, including raising CROs’ pay. CROs have gainedinfluence, as well. More have a seat on their institution’s board ofdirectors, and many now report directly to a C-level executive, theWall Street Journal reported.
Ditto for the CISO?
The chief information security officer may be on a similar path.
Cybersecurity has often been regarded as an IT problem — with aprice tag that can make executives cringe. CISOs’ warnings of systemvulnerabilities sometimes do not even get reported, as their superiors— often, the CIO — may be reluctant to request the funds needed fora fix, according to a Business Insider report.
Large-scale data breaches of recent years have shown business leadersthe dangers of turning a blind eye to cyber. Security can be expensive,but the alternative may be worse: Estimates place the costs tobusiness of cyberattacks at upwards of $500 million a year, Forbesreported in 2013. The reputational toll may be high, as well.
And a major reason for weak security, one study shows, is a lack offunding.
As a result, Forbes reported, organizations large and small are uppingthe cybersecurity ante, with some major banks investing hundreds ofmillions of dollars this year, even doubling expenditures in some
Cybersecurity Insights &Perspectives
Invincea's AnupGhosh on usingmachine learningto improvecybersecuritydetectioncapabilities
Cybersecurity Insights &Perspectives
Veracode's ChrisWysopal talksabout the impactof '90s hackerthink tank
Content from Sponsors
DHS' VincentSritapan on federalIT modernization
September 20, 2016
Leveraging YourWorkforce in theNewCommunicationsEra
September 28, 2016
Privileged User &Insider ThreatFederal 2016Ponemon SurveyFindings
October 05, 2016
VIEW ALL
TV/RADIO
EVENTS
9/16/16, 1:29 PMHow much security is enough?
Page 3 of 5http://fedscoop.com/how-much-security-is-enough
JR Reagan writes regularly forFedScoop on technology, innovationand cybersecurity issues.
cases.
But is spending money enough? Somesay increasing the cyber budget is agood first step, but protecting oursystems requires systemic change.Organizations do need great securityand IT staff and top-notchcybersecurity tools, but they also needcomprehensive risk-managementstrategies devised, and implemented,at the board level, accordingto Cyberpolicy Magazine.
For a truly effective security program,CISOs must discuss the organization’s security posture openly,honestly and regularly with the board, a recent book oncybersecurity asserts. After years of debate, the time may have comefor CISOs to join their boards of directors — as chief risk officersstarted doing when risk management was deemed crucial to businesssuccess.
Giving CISOs a seat on the board would almost certainly help the C-suite keep current on ever-changing cybersecurity challenges andsolutions, and improve organizational resiliency and response shouldthreats or breaches occur.
Some suggest that reporting hierarchies ought to change, as well, sothat the CISO reports directly to the CEO — something that happensnow only 22 percent of the time, according to the Governance ofCybersecurity 2015 Report from the Georgia Tech InformationSecurity Center.
Engaging the CISO at the highest levels may reap many benefits for anorganization, including a more productive, collaborative approach tosecurity — so that, rather than having a lone-salmon CISO fightingagainst the current, organizations and their security teams workmore like a school of fish swimming in sync, moving with the flow,toward common goals.
JR Reagan is the global chief information security officer of Deloitte. Healso serves as professional faculty at Johns Hopkins, Cornell and Columbia
October 05, 2016
What HackersReveal About ITVulnerabilities
VIEW ALL
9/16/16, 1:29 PMHow much security is enough?
Page 4 of 5http://fedscoop.com/how-much-security-is-enough
-Explore Stories in Tech- NEWS > TECH
-In this Story-
Tech, Cybersecurity, Commentary
Stay alert to all the latest government IT news.
SIGN UP TODAY
0 Comments FedScoop SherryJones!
Share⤤ Sort by Best
Start the discussion…
Be the first to comment.
Subscribe✉ Add Disqus to your site Add Disqus Addd Privacy%
Recommend♥
universities. Follow him @IdeaXplorer. Read more from JR Reagan.
JOIN THE CONVERSATION
ABOUT / CONTACT LEADERSHIP TEAM EDITORIAL TEAM
CONTRIBUTE CAREERS
So, you'veassumedcompromise. Nowwhat?
NSA: no zero dayswere used in anyhigh profilebreaches over last24 months
Election systemssafe fromcyberattacks,experts believe
9/16/16, 1:29 PMHow much security is enough?
Page 5 of 5http://fedscoop.com/how-much-security-is-enough
# $ % & ' + )
BACK TO TOP COPYRIGHT 2008-2016 FEDSCOOP. ALL RIGHTS RESERVED. ∠
