Lately companies have been curtailing their IT spending, but there is a hidden cost. For years security was an afterthought and as a result lagged far behind the rest of IT in dollars spent. The result today is less than ideal corporate security and little money directed at fixing the problem.
Mark Doll, the New York-based Americas director of Ernst & Young’s Security Services, recently spoke in Toronto, in part to promote his new book, defending the digital frontier, and in part to pass on his insight, gathered from years of experience.
He says the biggest factor inhibiting IT security is related to a lack of spending. Doll told the audience of a conversation he had with a CEO, whose company spends US$3 billion annually on IT. When asked about his company’s level of security he told Doll, “I never even thought if it was secure or not.”
In fact, over the past several years (until the recent economic downturn) there has been a 22 per cent annual increase in corporate IT spending, while security-specific spending has risen only one per cent. The gap has to be made up, Doll said.
“We are in a deep sense of denial in the boardroom that we actually have a security problem. We have to get past [it].”
He said Ernst & Young’s own white hat hackers paint a scary picture. A third of the time they hack into companies, they find that they are not the only hackers there. It takes the white hats an average of eight minutes to get into most Fortune 1,000 companies.
Doll outlined a six-part strategy designed to bring security into the corporate fold. The first security characteristic is to “attain and maintain the appropriate alignment between digital security…and business objectives to guarantee focus on the overall objectives of the organization,” he wrote in his book. Part of this can be done by reducing the number of levels between the CEO and security decision makers. “Good solid organizations have that compressed,” he said.
In some cases those responsible for security have direct, or very close to direct, contact with the CEO, he said. Often CEOs have no idea how bad a situation can become if there are too many layers insulating them from security reality.
Second on the list is the need to have an enterprise-wide strategy, one which includes customers and partners, because often their problems can become yours. Security also has to be “baked in” to outsourcing contracts. This is a shift in thinking since most outsourcing deals focus on cost reduction or increased efficiencies, not security, he said.
Doll also suggests continuous, real-time system monitoring. “Annual is not enough,” he said. Doll admits this is a challenge, but one in which there is no other viable alternative since threats and vulnerabilities can become full-fledged attacks in a matter of days or hours.
Fourth, companies need to be proactive so they can anticipate potential threats, not just react to them. One common problem is that companies often overspend on issues that never happen again. “Lightning very rarely strikes exactly the same way twice,” Doll explained. So companies need to spend less on what just got hit, and more on what is likely to get hit next.
from the outside
Doll is also a firm believer in the concept of third-part validation. Internal validation is never wise as a sole strategy as it tends to create blind faith. Third-party validation also helps organizations rid themselves of the “emperor’s new clothes” scenario.
Often, Doll said, when CEOs are asked whether their company is secure, they just repeat what the CIO told them, since they really don’t know. Having outside help might put them in the loop.
The final strategy, and one Doll stresses, is to create a workable, formal security contingency plan. A 3,000-page binder sitting on a shelf collecting dust helps no one. He said to limit the book to “something that people actually read,” 10 pages, ideally, but no more than 20. He warns not to over-engineer by creating a system where every chair is restacked. Corporate-wide buy in is useful, but only those who have an actual job to do in the event of a security problem need to be part of the plan.
Where corporations often fail, even those which spend enough, is with the allocation of funds. Today companies spend 90 per cent of their security budget on technology, Doll said. This is way out of whack. “The next dollar you spend won’t help you at all,” he said.
He suggests a 40/40/20 division of the pie – 40 on people and training, 40 on corporate processes, and the final 20 on technology.
An important part of training is making sure an employee knows who to call if there is a security event. If Windows suddenly reboots, most employees just continue on with their work. But if there is a number to call when it occurs, a pattern can be established. Security can then quickly ascertain whether it is a lone event or part of a larger problem. In most companies it takes too long to understand that there is a security problem, and by the time they do it, it is too late – the attack is either well under way or, worse still, gone without a trace and assumed to never have occurred.
Doll said companies need to create a corporate security structure which takes all of this into consideration without going overboard with paranoia.
“Stop thinking about events that kill everyone in your industry,” he said. The key is to understand where your corporation is relative to your competitors, but not to focus solely on this, he said.
He cites the case of Charles Schwab and Merrill Lynch. On the surface there are a lot of similarities between the companies but digging down to security needs, the differences become apparent. While Schwab is 90 per cent Web based, Lynch is only 30 per cent. Because of this Schwab obviously needs to spend more security time and money focusing on the Web.
Doll added one pearl of wisdom at the end of his talk. When things go wrong, and at some point they probably will, don’t panic. In the first 45 minutes, sit down and get a cup of coffee.
“Get relaxed, cause your gonna have a long day.”