[ISN] Cybersecurity: It's Dollars and Sense
isn at c4i.org
Fri Feb 11 03:40:03 EST 2005
By Bill Hancock
FEBRUARY 11, 2005
Few CEOs grasp the case for investing in safeguards against hackers,
worms, and the like. It's every chief information officer's duty to
banish that innocence
No one really wants to spend money on cybersecurity. Not only is it
technically impossible to completely secure cyberspace, but the
technology is complicated, the vocabulary arcane, and the expertise to
make it happen hard to find -- and even harder to apply. Worse yet,
most managers never learned how to calculate the value of -- and
communicate the business case for -- cybersecurity.
Yes, I realize that overall spending on cybersecurity continues to
increase every year. Yet every executive I know is kicking and
screaming about its cost along the entire way.
45,000 OPEN DOORS. The sad reality is that every computer network has
cybersecurity exposures. This is due in large part to the fact that
most software and computer systems focus on function, not security.
Security is bolted to computer systems using things like firewalls and
intrusion-detection systems. Additionally, the communications methods
used to deliver data are over 30 years old, coming from a time when
security was less of an issue.
Compounding the problem, as software has become more sophisticated,
the code used to write it has grown significantly. Conventional wisdom
says you can expect to find about one bug for every 1,000 lines of
software code -- and every bug is an opening for hackers. The 45
million-line operating system that runs your computer may have 45,000
ways to be breached by a hacker. These hackers are smart, and most
have much more time to spend attacking you than a typical system
administrator can spend defending against them.
Attacks are also becoming increasingly automated, which compounds the
problem. Computer worms and other autonomous, malicious programs can
attack and infiltrate these complex environments in a relentless,
EASY AS ABC. Most senior executives are aware of these cybersecurity
issues. The problem is that these issues rarely turn into funded
information-technology projects when evaluated against other business
priorities. Sure, every survey of chief information officers says
cybersecurity is one of the very top issues for a company. Yet in most
executive suites, cybersecurity is considered necessary to stay in
business, but not to make the business bigger. So what if a PC gets
hammered by a worm? It won't kill the business, and the expense to
clean it up will be minimal.
There's a way to deal with this dilemma. Chief information officers
need to translate the IT priority of cybersecurity into a business
priority that the CEO can't ignore. The basic framework I've used to
build the business case for cybersecurity I call the ABC's of Security
Asset protection: Most businesses recognize that they must protect
their physical and intellectual assets. For example, they can't let
someone steal their patents. The same kind of rigor that is applied to
valuing, protecting, and insuring traditional assets needs to be
applied to cyberassets. If someone steals your customer- or
product-development data base you could be put out of business.
Brand protection: Every CEO is concerned about the outfit's brand.
CEOs can increase the perceived value of the company through the
equity they build in their brands. What if your company is hit by a
hacker and all the credit-card data from the e-commerce wWeb site is
compromised? What happens to the value of the brand -- and to your
Compliance: Probably the strongest justification for investing in
cybersecurity is that you don't have a choice: It's the law. Actually,
it's lots of laws. Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB),
the Health Insurance Portability & Accountability Act (HIPAA), and the
USA Patriot Act all have provisions that require securing IT
applications, data, and infrastructure.
SHINING EXAMPLES. Once you've used the ABC's to make cybersecurity a
business priority, what next? While there is no cookbook for
cybersecurity, there are some best practices I've seen at leading
Hire outside experts: The best approach is to integrate your internal
IT expertise about applications, data, and business processes with
outside expertise on how to identify and protect against cyberthreats.
In most cases, you can save money by engaging these cybersecurity
experts on a short term basis to do periodic assessments, audits, and
updates of your security systems and procedures.
Evaluate your IT suppliers: Ensure that the IT solutions you buy --
just like corporate networks, applications, servers, and storage --
follow the best practices for cybersecurity and can be included in
your "chain of trust" to comply with government regulations.
Take one step at a time: You can't solve all your cybersecurity
problems at once. Build a list of your cybersecurity vulnerabilities
and prioritize the items based on business value. Focus on the
high-value items that keep the business running and allow it to grow.
Cybersecurity is a journey, not a destination -- you'll never be
completely done. The important thing is to keep moving forward,
continuously improve, and focus on the details many think aren't so
Bill Hancock is Chief Security Officer of SAVVIS Communications and is
chairman of the FCC's Network Reliability & Interoperability Council
Homeland Security focus group on cybersecurity
More information about the ISN