From: Wall Street Journal/CIO Journl
Joel Schectman
As the number and sophistication of hacker attacks on major corporations continues to increase, security is moving from a functional IT area, often below the paygrade of CIOs, to strategic importance at the highest levels of corporations. “IT security’s rise from being a functional area to a board level concern is maybe the fastest I’ve ever seen,” Thomas Sanzone, senior vice president of consulting firm Booz Allen Hamilton Inc. , told CIO Journal.
A survey released earlier this week of 650 bank IT managers found 64% faced distributed denial of service (DDoS) attacks over the past year, in which hackers flood a company’s Web servers with traffic in order to disrupt service. The study, by the security research firm Ponemon Institute, found 43% believed the attacks would either grow worse or significantly worse over the next year.
To respond to elevated threats, companies are making larger security investments and adding security management to C-level portfolios. Celso Guiotoko, CIO of Nissan Motor Co. Ltd., said the company has begun to invest more in security as “the level of targeted attacks is increasing.” And to respond to the heightened security risk, Manish Kapoor, a senior vice president of information systems at pipeline operator NuStar Energy L.P ., said the company recently added a cyber security officer.
As IT security becomes a strategic level concern, CIOs are being called on to make tough decisions on cost and benefit, Andrew Rose, a Forrester Research analyst said. “It’s moving from an information security guy who may be very comfortable talking about firewalls. Now he has to stand up and describe a three year plan, which can be pretty intimidating.”
For example, a CIO may have to decide what level of security investment a company needs to safely roll out a mobile platform, Mr. Rose said. He may decide that the necessary security costs, versus the potential profit, makes the rollout untenable, and he may recommend the CEO scrap it. The CIO also may decide that the costs of possible attack won’t be as much as the cost of the investment, and recommend looser security measures.
Banks tend to harden their online security to a far larger extent than retailers, said Vishwanath Ramarao, chief technology officer of Impermium, a security firm. Speaking at an O’Reilly Media Inc. webcast on data security, Mr. Ramarao said companies are increasingly using Big Data to flag suspicious traffic patterns that could indicate an attack is underway. A spike in use from a particular browser version or device type, automatically detected by a system that compares those patterns against a baseline, can give advanced warning to an administrator, Mr. Ramarao said. While banks are investing more heavily in this technology, which he describes as “machine learning,” retailers are more inclined to purchase off-the-shelf tools that adapt more slowly to shifting attacks, Mr. Ramarao said.
Mr. Rose, the Forrester analyst, says the difference in risk tolerances among industries informs strategic decisions about how to invest in security. In the event of an intrusion, banks instantly can suffer millions of dollars in losses, whereas retailers are more likely to face a temporary sales disruption. “In the end of the day IT security is just another business risk that needs to be managed,” Mr. Rose said.
Leave a Reply