Most Read This Week
"Information Risk": A New Approach to Information Technology Security
For Corporate Executives and Directors
By: Troy Smith
Nov. 29, 2004 12:00 AM
Understanding the potential benefits and risks of information technology (IT) - particularly information security - has become a mission-critical imperative for today's business leaders. Cyber-attacks, computer abuse, privacy issues, identity theft, and fraud have not only raised the level of corporate awareness, but also ushered in a new wave of regulatory requirements. Cyber-threats and new regulations can both lead to serious consequences for the company and its leadership.
Company executives need to recognize that threats are not simply a technology issue, but have become a serious concern for the enterprise. Addressing information risk and security at an enterprise level requires an approach that cuts across people, processes, and technology. Many companies have invested heavily in security technology solutions, but have not made similar levels of investment in the supporting processes and human resources. Of course, technology is a critical element of an effective security program, but it is not a panacea, as several high-profile breaches have shown.
On August 11, 2003, for example, the "Blaster" computer virus invaded Microsoft, flooding its product support Web site with millions of requests for software updates. The virus created havoc on the Internet, eventually costing businesses and governments upwards of $10 billion. Although serious, an external cyber-attack is only one type of threat - just as critical are internal breaches affecting the confidentiality and integrity of information.
Corporate executives need to take a much more supportive role in IT security to enable the protection of their networks and data. Information risk and security needs to be defined within the organization as a critical function in order to make optimal investments to protect the critical assets.
Sarbanes-Oxley and Other IT Security Wake-Up Calls
A recent survey sponsored by BNX Systems and Institutional Investor found that 25% of CIOs plan to implement identity management software this year. In another survey, the top IT security-related concerns were preventing the identify theft of customers and preserving intellectual property (IP).
One of the most compelling reasons for executive-level attention to information risk is the 2002 enactment of the Sarbanes-Oxley legislation. Section 404 of Sarbanes-Oxley mandates that public company CEOs and CFOs personally vouch for a company's internal control structure, and that board members monitor this process.
One of the primary internal controls of any company is IT security, and companies are making heavy investments in projects related to security controls for compliance with Sarbanes-Oxley. Under Sarbanes-Oxley, executives and board members who knowingly approve nonexistent or ineffective internal controls may face significant penalties, including criminal prosecution. Given these consequences, it is not surprising that the law is driving tremendous interest among management teams and boards of directors in formulating a more comprehensive, organization-wide approach to IT security.
Companies are primarily guarding against worst-case scenarios: a debilitating cyber-attack, noncompliance with Sarbanes-Oxley or other regulations, customer litigation over identify theft, and theft of intellectual property. However, there are positive consequences as well: by conducting risk assessments aligned to the core business processes, companies are also able to develop a business case for investing in information security.
Step 1: Remove IT Security from the IT "Silo"
In general, IT organizations do a reasonably effective job of protecting their infrastructure and information technology assets, but may not be fully aligned with the company's business community. Often, the IT department is asked to manage initiatives that require the support, involvement, or sponsorship of the business, but does not get the business commitment needed to succeed. For example, Role Based Access Control (RBAC) can be a very effective tool for protecting information assets from both internal and external threats. There are certainly technology aspects to implementing RBAC, but to fully achieve the goals the business must be involved. Defining the user roles and making decisions about which systems individuals will be allowed to access is a dangerous role for IT to assume.
To be effective, today's CIO must be a good communicator and advisor, providing information risk and security knowledge to the other executives throughout the organization. In addition to the primary role of providing cost-effective, reliable information services, the CIO needs to also provide advice and the business case for protecting the critical information assets.
Not only will risks be far better understood when IT security is emphasized at the higher levels of the organization, but better investment decisions can be made. For example, spending on big IT projects (including IT security) is finally on the upswing among Fortune 1000 companies. In the past, many large IT projects did not achieve the benefits promised at the start of the project. When strong trusted-advisor relationships are forged between the CIO and the business executives, this is much less likely to occur.
Step 2: Develop an Understanding of the Risk Landscape
An information risk assessment process needs to be integrated into the overall business strategy, and conducted in a continuous and validated manner. When properly designed, the risk assessment process can be performed quickly with a minimum of disruption to the organization. IT risk workshops can be an excellent tool for initializing a comprehensive risk assessment process, and can help develop awareness and buy-in for the process. The overall information risk assessment process needs to provide useful, relevant information and take the organization beyond a "check-box" mentality.
Another concept that has started to gain traction is the regular participation of IT leadership at the board-of-director level. With the members acutely aware of their Sarbanes-Oxley-related liabilities, there is no better time to propose this idea. If the board understands information risk and the company's ability to handle it, then better decisions can be made. For example, many companies defer investments in emerging technologies because they do not understand the risks or how to manage them.
The accounting scandals of 2001 and 2002 ultimately led to the creation of new regulations that required more accounting representation on boards, specifically for audit committee members. Hopefully, it won't take a debilitating IT security disaster to convince more companies that IT knowledge on the board is as crucial as financial or business knowledge.
Step 3: Integrate IT Security with Business Continuity Planning
Clearly, e-commerce businesses and financial services firms have the most significant need to align security and continuity. But companies across all industry sectors have similar issues to varying degrees. For example, the supply chain is a critical business process in most manufacturing companies, and nearly all modern supply chain processes are highly dependent on software and networks to function. If the main supply chain information systems were compromised due to a cyber-attack, the ability to manage the flow of goods and services would be severely hampered. A well-publicized example occurred in 2002 at a major rail transportation company, when a computer virus shut down the central control center. This left the company in a position of very high risk exposure with no way to track the location of their trains, combined with the shut-down of crossing signals in 23 states.
Technology risks affect other areas as well. For instance, much of the physical plant today is highly dependent on technology to operate, e.g., HVAC, elevator service, water controls, automated door access systems, and fire alarms and sprinklers. In the event of a technology failure these types of process and safety systems might not function, unless they were included in the overall business continuity plan.
Step 4: Periodic Assessments for Vulnerabilities
Business changes occur for a number of reasons - e.g., mergers, acquisitions, new customers, regulations - and the information risk and security posture needs to be reassessed in line with the changes. For example, employee access rights to systems need to be monitored and changed if business needs require it. If an employee is terminated, his/her access to systems should be turned off immediately.
A recent example points out the importance of managing this process. A terminated employee planted a logic bomb in the main computer, which, after he left, deleted 10 billion files. This incident was the result of vulnerability within the internal access policies and processes.
In other cases, companies have found that lapses in external network security have allowed their proprietary product information to wind up in the hands of foreign manufacturers who are illegally producing their product. In one instance, a not-for-profit institution did a vulnerability assessment and found that hackers were using its servers as a platform-base to attack other companies. Regular assessments of security across people, processes, and technology will detect these types of incidents, and if done properly reduce the number of incidents in the future.
Reader Feedback: Page 1 of 1
Subscribe to the World's Most Powerful Newsletters
Today's Top Reads