Print this article | Return to Article | Return to CFO.com
Hacking incidents and other computer-systems breaches are on the rise. But will they reach C-level?
Scott Leibs, CFO Magazine
March 1, 2003
Even before the so-called SQL Slammer worm choked Internet traffic in mid-January, two organizations that gather reports of vulnerabilities (exploitable cracks in IT infrastructures) and intrusions (viruses, worms, hacker attacks) had released new figures that gave cause for concern. The CERT Coordination Center at Carnegie Mellon University showed reported vulnerabilities nearly doubling and actual incidents up by 56 percent. Symantec Corp., a computer-security products and services firm that not only tracks client reports but also gathers data from various computer-security groups, found a similar rise in vulnerabilities but a slight decline in cyber attacks — from 32 per company per week to a mere 30.
The financial losses are impossible to quantify, although that hasn't stopped some organizations from trying. The Computer Security Institute puts the aggregate corporate losses during the past five years at $1 billion-plus, but differences in how companies arrive at their individual figures — not to mention the refusal of many to cite a figure at all — almost certainly mean the true cost is much higher.
Ever-present external threats aren't the only issue affecting computer security: regulatory pressure continues to mount. Next month, final HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations go into effect, forcing not only health-care providers but also insurance companies and employers that self-insure to adopt stringent measures for protecting client/employee data. Liability issues extend beyond health care, as Eli Lilly & Co. and Microsoft Corp. discovered last year when the Federal Trade Commission (FTC) found both at fault for mishandling consumer data. In January, concerns about privacy even trumped worries about terrorism, when the Senate voted to restrict the Pentagon's Total Information Awareness program, which addresses in part how data can and can't be shared among various government entities.
Computer security, therefore, is being driven not only by companies' need to protect themselves from the explicit damage a hacking incident or other security violation may cause but also by potential liability — regulatory, contractual, or criminal. To some degree, of course, the solution is technological, and many efforts are under way to make computers more impenetrable and violations easier to track. In January, researchers at the University of Buffalo announced they were developing a new class of software that would profile network users and spot deviations in behavior that could signal ill intent. In the commercial sector, new products announced that same month ranged from Symantec's ManHunt Smart Agent to an automated approach to patch management from Ecora Corp.
In fact, the Web sites of nearly every computer-security software or services firm tout recently unveiled products. But many experts say the explosion in security products is part of the problem, because it encourages ad hoc buying at the expense of a sensible strategy. Mark Doll, Americas director of security and technology solutions for Ernst & Young LLP and co-author of Defending the Digital Frontier, says that only 10 to 20 percent of the largest global companies have a stated strategy for computer security. "Many more have a sort of overarching technical theme," he says, "but they fail to relate it to the overall risk posture of the organization."
While Doll favors the creation of a C-level security post, absent such a position (economic conditions don't favor the creation of such a role, and some companies have actually eliminated the title), he says that a CFO or COO can work with more technically oriented staff to develop policies that protect the organization without limiting its operations. The value of a C-level executive's involvement, he says, hinges on his or her awareness that security must be balanced against business opportunity. "A company could improve its security dramatically by simply disconnecting from the Internet," says Doll, "but obviously that isn't going to happen."
A Need for Disclosure
What will happen, argues Mark Bouchard, an analyst at Meta Group Inc., is growing top-down pressure to implement an adaptive security architecture that addresses policies and procedures, and to communicate that policy publicly. "Major accounting firms now recommend that clients disclose their security plans in much the same way they disclose financial performance." Many companies disclosed their Y2K-preparedness at length, he says, and security is analogous.
Creating a security program or architecture is time-consuming and potentially frustrating, because certain underlying standards don't yet exist. But Bouchard says companies can take action now. Because the goals of the organization provide the foundation, C-level and even board-level involvement is critical. "Full implementation of a strategic plan takes up to three years," says Mike Bilger, global practice leader for IBM's security and privacy services unit, "but your security improves as you go, so you begin to see benefits immediately."
A good plan, experts agree, is one that is flexible and reviewed often, because new technologies and changes in business strategy invariably affect the efficacy of current approaches. Bouchard says such a plan would draw a firm distinction between the blueprint, which should be visible and manageable, and the underlying details, such as standards for firewalls, intrusion detection, and the many other facets of actual implementation.
"Without a 'living document' of this sort," he says, "companies waste resources, introduce new vulnerabilities even as they fix old ones, and leave themselves unprepared should a regulatory mandate come down that requires companies to have security architectures in place."
Indeed, the FTC's actions against Microsoft and Eli Lilly focused not on monetary fines but on a requirement that the companies establish and maintain security programs. If that's a sign of where things are headed, then companies should be as wary of the "Washington Whammy" as they are of the SQL Slammer.
Security Ins and Outs
As with any other facet of IT, security is a function that can be outsourced. Managed security services providers (MSSPs), like their application service provider cousins, have had a rough time of it of late, but Gartner predicts 17 percent market growth this year, up from 10 percent last year. Eric Hemmendinger, research director for security and privacy at consulting firm Aberdeen Group Inc., says the companies that have survived have learned valuable lessons and may be poised to grow. "A lot of [venture capital] money was poured into this space in the late '90s," he says, "and companies generally took one of two tracks, either focusing on a specific security need, such as intrusion detection, or on a family of products and services."
In part, the focused companies had better success because customers were wary of outsourced solutions that reached too far into the enterprise — they felt more secure with services that protected the edge of the network but did not, for example, monitor internal traffic or otherwise touch the "family jewels" of corporate data. And yet, "once clients get comfortable with a vendor providing a limited service," says Hemmendinger, "they often look to that company to provide additional services. So we may see some M&A activity among these focused companies as they try to broaden their offerings."
Leading makers of security software, such as Symantec and ISS, also act as MSSPs; their software revenues provide financial stability, although analysts say that to succeed as MSSPs they must move beyond a reliance on their own products and become technology-agnostic.
Major outsourcing firms, including IBM and EDS, also offer security services, which may prompt a CFO to ask: What level of security are such firms providing for routine IT outsourcing arrangements? Security expert Mark Doll says CFOs must scrutinize contracts because "in general, outsourcing deals are designed to reward efficiency, not security." Some analysts say that outsourcers do take security seriously, because of the devastating publicity a hacker attack would produce. Kelly Kavanagh, a Gartner analyst focused on security, agrees that most service-level agreements for routine IT outsourcing balance security with efficiency. However, he recommends that contracts clearly spell out who is responsible for what forms of protection, because "it can be tough to determine how an intrusion happened, and even tougher to assign blame." —S.L.