Cyber Security: New Threats, a New Approach

William Stewart, Executive Vice President, Booz Allen Hamilton

William Stewart, Executive Vice President, Booz Allen Hamilton

Cyber risk–the threat of a data breach–has become an everyday reality and a Board-level priority. And now it is about to get personal. Threats are growing: the “attack surface” is changing to include even wearable devices. For the senior technology executive (CIO, CTO, CISO, CRO), the future of cyber security is both daunting and encouraging. We are learning how to anticipate potential attacks. But there are several areas where the c-suite must step up its game.

Something happened last year that raised the stakes. Re­ports of data breaches blew up. Cyber went mainstream–the subject of daily headlines, a dinner table topic. U.S. data breaches hit a record high of 783 reported incidents in 2014 according to the Identity Theft Resource Center. That is a 27.5 percent one-year increase.

When a portion of downtown Washington, DC, lost power earlier this year, immediate specula­tion was that a cyber attack was to blame–not weather, equipment failure or a fire. What was once the stuff of “what if?” specula­tion or obscure contingency planning is now common.

As the cyber threat went mainstream, it went upstream. Data protection became a top priority for the c-suite. It evolved from an item on the “to do” list to a Board level concern. The risk of a cyber attack – and a bungled response – became one of the threshold issues that could shorten the tenure of a CEO.

Yet with one attack after another, there was some good news. We learned. Some compa­nies learned the hard way; now, many others are now quietly going about approaching cyber security in a different manner. Tired of being a step behind, senior technology executives are gravitating to a more active, anticipatory approach to prepar­edness and defense, one that looks over the horizon at emerg­ing criminal patterns and active threat actors.

The shift is similar to what took place in natural disaster response, where use of predictive weather data now enables communities to take preventive measures before the storm hits.

And if the cyber threat was waiting for us to catch up, or­ganizations would be in great shape. But that is not the case.

The “attack surface” is about to fundamentally change. And this is where cyber security will get personal.

In the months ahead, organizations will begin to face new threats to medical data, connected vehicles, mobile payments and “Internet of Things” devices. Emerging technologies like wearables create new risks: employees may come to work wearing a compromised smart watch. They may pull their hacked connected vehicle into the company parking garage.

Something as far removed from the cor­porate IT ecosystem as a chip-embedded laundry detergent container, sitting in an employee’s laundry room, is a vulnerability waiting to be exploited.

This scenario adds a third di­mension to the traditional inside or outside the firewall environ­ments–a risk that floats between the two. And it requires another layer of preparedness. Now, an employee’s personal posses­sions–not just their company pro­vided laptop or even their BYOD smartphone–create risk.

To prepare for what lies ahead, senior technology leaders must elevate their organization’s approach in five areas:

Defense: get active – It is an emerg­ing trend that any technology executive must follow: the adoption of a more dynamic, proactive approach to cyber security. “Active defense” measures employing an intel-to-operations model are now a requirement, not an experi­ment. Cyber strategies now use real-time intelligence and assessment data to shape decision making, fine-tune defenses and preempt threats.

Leadership: syndicate the risk – Too often, the cyber threat is treated as an IT problem requiring an IT solution. Yet as the stakes grow higher, cyber attacks now touch every part of the or­ganization. Product development, or­ganizational strategy, HR, legal, marketing: they all play a role in preparedness, defense and response. It is critical that risk and responsibility be spread out across the organiza­tion. Anything less will result in a flawed approach–and a po­tentially shortened tenure for the senior technology executive.

Systems, product development: think cyber – Historically, speed-to-market has been the number one imper­ative driving everything from product design to systems implementation. Cy­ber security considerations were once an afterthought: now, they are becom­ing a consideration, albeit one that is largely retroactive. IT leadership must lead a fundamental shift to “embedded security,” with cyber defense a driver of product and systems development, rath­er than a bolt-on. This shift is particu­larly important as the Internet of Things expands the attack surface.


response:cut through the hype – With cyber a mainstream and Board-level issue, the market is crowded with compa­nies pitching “incident response” capabilities. For the corporate buyer, it is a hype-fueled, “buyer beware” envi­ronment. Does the incident response of­fer include the right balance of multidis­ciplinary expertise needed–like crisis communications, legal, policy, business and technical? What about the people behind itand the proposed step-by-step methodology? With the stakes growing higher, leaders must take a discerning look at incident response solutions.

Preparation: practice or perish – An effective cyber response requires two behaviors that do not come natural­ly to large organizations. First, differ­ent areas like individual business units, legal, HR and marketing must work to­gether around an issue where there has been little collaboration. Second, they must do so quickly, with an operational velocity that is often lacking in the day-to-day business. Practice–through col­laborative planning and real-time simu­lation drills–is the only way to achieve the required level of readiness. Without practice, you will fail.

There is little doubt: we are enter­ing an entirely new phase in the fight against cyber a ttacks. Heightened ac­tivity, public concern and Board-level scrutiny have made cyber security a top priority, while driving advancements in preparedness, defense, detection and response. But with new, “personal” cy­ber threats looming, now is the time for the c-suite to rethink its approach. By doing so, they can avoid learning the hard way.

Check out: Top Cyber Security Technology Companies

Weekly Brief

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee