As CMOs and CIOs work on managing their relationship in the new digital world, it’s important to stay in synch on important issues like data security. Nothing can send a shiver down a marketer’s back like the fear of coping with customer pain and brand damage from an information security breach.
Your CIO counterpart is feeling that same shiver and that same responsibility to protect customer data. Recently, I had a front row seat to what the experts are saying about information security threats and strategies. According to the cyber security panel at the Venture Atlanta conference held a few weeks ago, the sophistication and frequency of cyber security attacks is growing and our information security solutions need updating to reflect a changed IT infrastructure.
The panel included experts such as General Harry Raduege - former Director of the US Defense Information Systems Agency and currently serving on Presidential and Homeland Security Advisory councils; Tom Noonan - General Manager, Energy Wise Solutions, Cisco Systems; David Aronoff - General Partner at Flybridge Capital Partners; and Peter Swire -Professor of Law and Ethics at Georgia Tech. The panel was moderated by Jeff Leavitt of DL Piper.
Here are some takeaways about the current threat landscape, the state of cloud and mobile security, and what companies should be doing now to protect their data.
What is the current threat landscape?
Hacking is growing. So is malware. There was a lot of discussion about the need for government to pay attention to critical infrastructure and the interdependency and resilience of systems. The electrical grid, for example, should be an R&D focus for the government and security entrepreneurs. Another threat discussed by the panel: an electromagnetic pulse created by a tactical nuclear device detonated over a major city. It would burn out everything.
What about cloud security and mobile?
Our IT infrastructure is changing. The perimeter has vanished. Cloud offers scalability, but the unintended consequence is that we have magnified the threat surface. Companies now exist in public clouds. So we cannot apply the old security model to this new dynamic. That’s why there is a massive renaissance in the security industry to find new solutions. New security solutions focus on endpoints and automated incident response that helps companies to be resilient.
We are an application-centric architecture spun up on a server anywhere. What is the purpose of a server? To process data and information and that’s what thieves want - information. Currently, there are approximately 12 billion devices holding information and that will be growing to 50 billion in 2025.
The Internet of Things (IOT)
That figure just cited about 50 billion interconnected devices by 2025 has a lot to do with how our smart phones will become the brains to many interconnected devices in our homes and offices, i.e. the IOT. This will cause an intersection of security and privacy that must be addressed.
Cyber Security Lessons from 9/11
General Raduege shared his experience on 9/11 when, as the then Director of the Defense Information Systems Agency, he faced serious communications challenges the day of the attacks. He was giving a breakfast speech in Ohio when the towers started to fall. He could not get through to the White House, Pentagon, or his office.
A while back a CEO group came up with an emergency communications system that would put your call at the top of the queue if you had the code. The Department of Defense (DOD) invested in this and the calls did go through that day, but it was only wired for land lines. So on his way back to the capitol, the General had to stop at gas stations to make calls. The lesson learned was to make the system work for mobile so that government and businesses can continue to operate.
Another 9/11 lesson was about the connectedness of physical and cyber security. When a plane hit the Pentagon, the firefighting efforts caused water to leak onto some very important communications equipment in the basement. They were able to cope, but it illuminated the interrelationship between physical and cyber security.
General Raduege also talked about continuity concerns. During the attack, there were vulnerabilities not just to continuity of leadership, but to continuity of operations too. State governments and businesses were also having to cope with communication issues for several hours.
What can businesses do to enhance their information security and resilience?
Here is what the panel says about creating a resilient security plan:
-
Trying to be perfect will not work. Assume your information network will be compromised and build your risk management plan with that in mind. There are too many threats from information sharing that includes your trade secrets and IP addresses. It creates identity theft opportunities. Instead of trying to be perfect, make bad guys have to be perfect to get at information.
-
Continually encrypt and control data at rest and in action.
-
Make your network resilient so that it can self-heal without an impact on your operation.
-
Be wary of surveillance proposals from the government demanding that phones and mobile software have a built-in security hole allowing the good guys to get in and evaluate weaknesses. This practice is opening up holes for the bad guys to get in. Why would you purposely build something to be insecure?
-
We are living in a porous world. Use data to find the bad guys.
-
Figure out who is attacking you and respond with a like attack. Also, prosecute cyber thieves and hold them accountable.
One final takeaway from the panel - put your resources toward protecting your crown jewels; the information most important to your brand. That recommendation alone is worth a chat with your CIO.
Liked this post? Subscribe to our blog and receive new posts directly to your inbox!