When it comes to cyber threats, Bob Turner likes to cite his own variation of a now popular warning: “There are two types of business organizations,” he says, “those who have been hacked and those who don’t know they have been hacked.”
With a full-fledged cyber war underway, that’s more of a cautionary tale than the standard line of “those who have been hacked and those who will be,” but after countless technology system breaches and the associated reputational and financial damage, it’s well past time to ratchet up the alarm.
By now, one would think cyber security would have top-of-mind awareness in both the executive suite and business boardrooms, yet for those attending the 2016 Fusion CEO-CIO Symposium produced by WTN Media, it was hard to escape the actual situation —while many wake up calls have been issued, business organizations are still hitting the snooze button.
There are several reasons for this, but a persuasive case based on managing risk has to be made to get business leaders to invest in the requisite technology tools, according to Turner, chief information security officer for the University of Wisconsin–Madison. “It becomes an awareness issue and that’s when the leaders and certainly anyone in a position of responsibility in an organization needs to understand that it’s not a question of if, it’s a question of have you already been?” Turner notes.
Turner, who has 35 years experience in information technology management with the likes of Booz Allen Hamilton and others, notes that business boards have a lot of things to worry about: profit and loss, external legislative and litigation risk, and business processes. In the overall scheme of worries, cyber security is relatively small, but it takes on importance beyond the IT department when upper management understands the potential impact. A great deal of the problem, Turner says, is they are just not well informed, most likely because they haven’t been close to IT and don’t understand the constant volume of cyber attackers probing the enterprise.
“What really has to happen for boards to understand and invest properly in cyber security is to get an appreciation for that risk,” Turner explains. “If the board is not listening to the chief information officer or other C-level executives, the CISO has to come in and, without spreading fear and uncertainty and doubt, at least make sure they understand the risk.”
Mounting cyber threats
During the Fusion conference, Turner was part of a panel that explored topics covered in a new expert guide for C-level executives titled Navigating the Digital Age, a collaboration of security leaders from the New York Stock Exchange and Palo Alto Networks, a technology security company based in Santa Clara, Calif.
In the face of mounting cyber threats, Turner’s advice to fellow technology executives is to understand their organization’s security baseline and manage risk above that baseline. By security baseline, he means the fundamental configurations that should apply to all systems. Do you have a firewall? Is your antivirus software effective in detecting computer viruses inside individual computers and servers? Is critical data encrypted? In terms of processes, do you have in-depth training for new employee users? Do the users have adequate credentials for what they are doing? Are they changing their passwords on a routine basis? Is there periodic user training in response to new threats?
“All of those become components of a robust baseline from which, for higher security levels for the data, you can add on controls,” he notes, “but it will never drop below, in theory, what the baseline level of security is.”
(Continued)
Now that Turner is with a major research university, the nature of risk has changed but the level of risk remains. When he thinks about the economic impact that UW–Madison has on the state, including the billions of dollars worth of research conducted here and the responsibility for educating 43,000 students, his mind is centered on the risk of having its teaching and learning-management systems attacked and becoming unavailable or corrupted.
Breaches at colleges and universities have been occurring with greater frequency over the past 12 to 14 months. The threat is highlighted by a recent breach at the University of Central Florida in which the personal information of 63,000 students and faculty members was compromised.
“If our research systems get hacked or our network as a whole gets hacked, and the researchers and the scientists can’t perform that level of research, there are two threads,” Turner notes. “We could lose the research dollars, which is a risk, or the research that we do conduct could be compromised and we could lose the residual value for patents on inventions that are created out of the research or the continued granting of research programs and research dollars by granters or federal agencies or other research sponsors.”
Health care providers also are at risk with potentially profound consequences. During the Fusion conference, Josh Yost, systems engineering manager of the North Central U.S. for Palo Alto Networks, says cyber security must become a board level conversation and can no longer be relegated to the IT department. He cites a west coast hospital, Hollywood Presbyterian Medical Center, that was hacked using just commodity malware and the hackers are demanding more than $3 million to restore the system to normal. The breach limited doctors’ ability to access patient records and virtually shut down the organization. The hospital was relegated to using pencils, fax machines, and paper. “That’s untenable,” Yost says.
Tony Sheridan, CISO for CUNA Mutual Group in Madison, notes that business boards are bombarded with many conflicting messages from regulators and the market. “Boards are wary of Chicken Little warnings — the sky is falling so we need more money for this,” Sheridan adds. “You have to show them return on investment. Without a strong business case, their temptation is to ignore cyber security.”
Bill Nash, CISO for the Wisconsin Department of Administration, says that better educating boards starts with known incidents and the likely outcomes. “Explain the consequences [of data loss], whether they be regulatory or the need to notify customers,” he advises. “Notification comes with a cost. Then you have to invest in identity monitoring for the people who have been the victims of a breach.
“You have to have that conversation about risk with the business people. Enumerating the risk and identifying the associated costs is the best way to approach it.”
Writer Joe Vanden Plas, editorial director for In Business magazine, covered Fusion 2016 for WTN Media and In Business.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
