Perhaps the CIO or the CTO is the wrong person to be shouldering this burden.
“Hackers put heat on companies’ tech chiefs,” reads the headline of a recent San Francisco Chronicle article.
Even before the massive Target breach, and the resignation of CIO Beth Jacob, top technology executives were under enormous pressure to counter increasingly frequent and sophisticated network security threats.
But perhaps the CIO or the CTO is the wrong person to be shouldering this burden. A case can be made that cybercriminals have become so clever that traditional network perimeter security is now ineffectual.
“Sophisticated malware… has completely undermined traditional security mechanisms,” according to security expert Joe Patanella, CEO of Trusted Knight Corporation, presenting at Advisen’s Cyber Risk Insights Conference in San Francisco. According to Patanella, new generations of malware, once they have infected a system, are virtually undetectable and highly resilient.
Companies still must do their best to fend off intrusions with software and hardware security measures, but it is increasingly clear technology alone is not the solution. A theme running through Advisen’s San Francisco conference was that network security is an enterprise-wide responsibility, and network security leadership must originate with the senior-most levels of an organization.
The good news is a growing number of companies are getting the message. In an Advisen/Zurich survey of U.S. risk managers conducted last October, 80 percent of respondents said that information security was a specific risk management focus within their organizations, and 56 percent said their organizations had a multi-departmental information security risk management team or committee.
Cybercriminals often do not assault a well-fortified network directly, but instead go after weaker access points such as less secure vendors or end users such as employees. The Target data breach appears to have originated with an email phishing attack directed at employees of an HVAC firm that did business with the retailer. Edward Snowden reportedly was able to gain access to classified NSA materials by tricking an employee into giving up his password.
Panelists at the Advisen conference were clear that the onus is on companies to thoroughly vet the network security practices of any vendor or business partner that has system access. And employee training is essential.
A CIO has little control over an employee who opens a malware-infested email, but with education, far fewer employees will fall victim.