Is 'Cyber' Misleading?

Mar 6, 2014 7:15am

by John Glowacki, Chief Strategy and Information Officer, Protexit

Coming through the holidays, most should have heard the revelations about the intrusions and theft of customer data at Target Corp. and Neiman Marcus Group. The investigations continue and more facts and hypotheses are being revealed. Stepping back from the details, one wonders about the progress being made (or not) by America's businesses.

Certainly, there appears to be more attention at all levels. More directors of company boards report regular focus on cyber issues. Nevertheless, crimes such as those perpetrated on Target and Neiman continue. Could it be only those companies who are obvious targets are focusing on the issue? Could it be some business leaders still do not understand the breadth and depth of the threat and their responsibilities (and opportunities) to mitigate it?

One dilemma may be in the way "cyber" is used as an umbrella term for a vast set of threats. When people discuss cybersecurity, it is generally in the context of national security, privacy, the financial community, and perhaps the utility industry. It's reasonable to think that retailers are more concerned with physical theft in stores and their view of the cyber threat is primarily against their core financial systems in the data center. I have no doubt the IT and security specialists at the violated companies had concerns about threats to the point of sale systems, but was this taken as a potential risk in the risk management processes of company management and the Board? The point here is not to point fingers at the victims du jour. When questioned, most people would not have put retailers as a top risk for cyber theft -- after all, they are retailers, not in the financial or utility industries. 

While we cannot expect all business leaders and company boards to be experts in cybersecurity, there is an obvious need for each of us to raise our awareness relative to what we manage.

All members of company management and overseeing boards, regardless of industry, should assume two things, 1) they are at risk, and 2) they do not know all the threats. While this may seem a bit paranoid, the intent is not to engage in fear mongering -- it is to change the viewpoint of our business leaders. There are threats, you have responsibilities, and the good news is there are things you can do about these issues.  By the way, not all mitigations have hefty price tags. Make no mistake, some amount of time and attention is needed on your part. Maybe having an extra session added to the Board's agenda is all that is needed to get things going. If you are not in one of the obviously threatened industries, that is all the more reason for you to make time to assess the risks and take action. Experience has shown significant mitigation can be accomplished through changes in processes and some modicum of investment.

Probably, a good tip for approaching the problem is to forget the name "cyber." This is not just a threat to your IT systems, it is a threat to your business potentially enabled by your IT systems. Sometimes, just the change in perspective is all that is needed to get things going.