For a giant electronics company trying to adapt to the Internet age, it was the nightmare scenario. In April 2011, Sony Corp. revealed that hackers had broken into its online gaming PlayStation system and stolen the personal information of 77 million users, including names, addresses, birthdates, email addresses and Sony logins and passwords.
Worse, Sony revealed that it hadn’t even encrypted its customer personal information—the digital equivalent of leaving the office unlocked at night with the customer files sitting in the lobby. A tide of bad press and a class action lawsuit followed.
While a disaster for Sony, the episode illustrated the massive new challenges companies face in an age of connectivity—and the spectacular consequences of inadequate information security. That’s why few professions have risen in stature over the past decade as rapidly as that of chief information security officer (CISO). Once a backwater of IT departments, the growth of organizations determined to exploit the weaknesses of connectivity and the expansion of technology have made information security groups a mainstay not only of technology companies but firms in industries as far flung as financial services, manufacturing, and transportation. With information security threats growing so large that they can paralyze large companies for days and permanently tarnish brands, top security executives are no longer just running virus scans but addressing the board of directors and planning multimillion-dollar investments. As a result, those in charge of information security need skills far beyond those they use at their keyboard.
“A decade ago this used to be completely a technical job,” said Hans Brechbühl, executive director of the Center for Digital Strategies at Dartmouth’s Tuck School of Business. “It was a technician in a back office who was responsible for maintaining a firewall and lecturing employees about how they should take care of their thumb drive and shouldn’t visit bad websites. Now it’s an executive-level position at many companies and requires the skills that go with that.”
Global spending on information security grew to $60 billion last year, giving it revenues equivalent to the global movie industry, and the figure is expected to rise to $86 billion in 2016. The growth has been driven largely by three trends: the rapidly increasing sophistication of cyber-criminals; the spread of connectivity to industrial machinery of all types; the emergence of Bring Your Own Device (BYOD) work environments; and the blending of personal and business lives on smartphones, tablets, and laptops.
All this has meant the technical background of yesterday’s information security chief is hardly sufficient to cope with today’s challenges. CISOs need to be able to think strategically about risk across the company and make economic judgments about the potential likelihood and damage of attacks. They also need to have the analysis and presentation skills to persuade board members and other executives of the need for multimillion-dollar investments in an area of the business that doesn’t generate revenue. Finally, they need to be able to engage and influence others in their company whom they do not directly supervise to minimize risks in areas ranging from production to sales to distribution.
As the Sony hack demonstrates, information security risk has become one of the largest areas of risk for many companies, particularly those that hold lots of consumer data or intellectual property in digital form. In the past, information security techs were notorious for focusing on technical pet-peeves when dealing with threats; today their risk assessment has to be much more sophisticated. Vulnerabilities must be categorized both by the scale of harm that can be caused and the likelihood that they’ll be exploited. Modeling such risks and evaluating the potential economic fallout has traditionally been outside the scope of the technical-oriented information security chiefs of yesteryear.
“Today these folks really have to understand the risks of a company and sort out which are the more dangerous,” said M. Eric Johnson, faculty director of the Center for Digital Strategies and an associate dean of the Tuck School of Business. “At one point it was a pretty narrow specific function of keeping the firewall up and now it ends up interfacing a broader set of risks in the organization.”
The job’s rising stature also means today’s CISOs are trading their t-shirts for business suits to brief boards of directors. This requires speaking the language of business in a persuasive manner and presenting information in a format that can be digested by those who often have extensive financial acumen but limited technical knowledge.
That’s important when arguing for investments in security architecture that don’t grow the company’s top line. “They’re before the board competing with revenue creating investment opportunities and that’s a hard argument to make,” said Brechbühl. “Hiring a bunch of new security engineers or buying a million-dollar piece of protection software isn’t nearly as fun for everybody to talk about as an investment that’s going to raise revenue. This is a much more difficult thing to do.”
It’s not just other executives and board directors that CISOs need to influence, however. There is now widespread recognition that the largest information security risks are often not technical but human. That means CISOs need to do more than evaluate the latest malware programs but encourage good security hygiene throughout the organization.
Security precautions are often viewed as a hindrance to working efficiently. At German engineering and technical services firm TUV, a group wanted to work collaboratively with two teams from different companies on a project. Each team asked their respective IT department to provide secure facilities, which the IT department told them would take about a month to complete. Since the engineers on the project didn’t want to wait for the secure site, they just set up a file-sharing site in Google docs and began work—a move that negated the company’s security efforts. “People get enormously creative in bypassing security as soon as it gets annoying,” said Oliver Weissman, vice president for information security at the company.
Logging off computers each night or remembering complicated passwords is a hassle—yet with the stakes now so high CISOs must develop ways to change the behaviors of those who don’t directly report to them.
“Many of the efforts you see now are in training and creating secure cultures across the whole organization,” said Brechbühl. “They really need the ability to talk to the rest of the company in a language that their colleagues can understand without constantly being perceived as the gloomy one who nobody wants to listen to.”
These aren’t the types of skills typically taught in the computer science or engineering programs from which many information security experts emerge. Yet ramping up these softer abilities is more vital than ever. From the People’s Liberation Army to sophisticated Russian organized crime operations to hacker groups like Anonymous, companies are facing threats from groups with levels of technical know-how and resources previously unseen. Meanwhile the integration of work and personal lives on mobile devices means that employees are accessing social media, entertainment apps. and a range of websites on the same consumer device that connects to their company’s data, opening a plethora of new avenues of attack for hackers.
“Consumerization magnifies the reality that 80 percent of your information security risk is about people, not things,” said Eric Cowperthwaite, chief information security officer at Providence Health and Services.
The rising threat has come as a huge new array of machines from hydropower turbines to security cameras to insulin pumps are being connected to networks—making them increasingly vulnerable to cyber-threats and increasing exponentially the harm that can be caused by an attack.
“Over the last two to three years there’s been a realization that almost every large company and government has been infiltrated,” said Johnson. “That realization was kind of a wake-up for a lot of companies, and now they need to make sure the people defending them are equipped to deal with the threats.”
The Center for Digital Strategies at Dartmouth’s Tuck School of Business runs CISO Workshops for European and American Global 1000 information executives. The Center and Tuck Executive Education also offer a course for CISOs and their direct reports, Business Engagement and the Information Security Professional. April 9-12, 2013. Information is available: Brechbühl can be reached at Hans.Brechbuhl@dartmouth.edu and Johnson can be reached at M.Eric.Johnson@tuck.dartmouth.edu.