For some CISOs, hammering together a strategy to protect the organization’s vital data can be easier than hammering heads at the executive table. Many business leaders still don’t understand what cyber security is or see it as an impediment to the organization’s objectives.
Hewlett-Packard Enterprises thinks it has a way infosec pros can get their message across: Explain that cybercrime works as a business – it has ways of making profit, and the CISO’s job is to make it too expensive for criminals to be a target.
That’s the rationale behind a white paper HPE issued this week called The Business of Hacking. The 20-page document is aimed at the C-suite to help management understand cyber crime in business terms.
In short, says Chandra Rangan, HPE’s vice-president of marketing for security products, executives and lines of business owners need to understand that like business competitors, criminals have a supply chain, have to manage a talent pool, do their own marketing and make a profit from selling goods (stolen data) on the black market. Anything that disrupts that chain helps.
So management should realize the goal of infosec pros is to use technology to reduce the profit criminals can realize in attacking the organization, either by increasing the cost of business to the attacker or by making what they get harder to sell. Either way, hopefully. the attacker decides to choose an easier target.
The business lesson for management: “There’s are things you can do to make it tougher and less lucrative for attackers to go after you,” said Rangan.
CISOs regularly ask the C-suite for more money and/or resources for a tool or process to improve security, or increase the risk of being hacked, “and there has been limited success with that model,” he argued. “What we’re trying to do is reach out to the business leaders and say ‘They types of things you do can have a meaningful impact because it’s increasing the cost of the attacker going after you.”
Rather than trying to convince management IT can plug every hole, Rangan said infosec pros should turn convince management it’s a matter of weighing the risks and rewards of the right technology and process. Some techniques – adopting internal security controls, limiting access to sensitive data, create honeypots, use analytics – may help slow an criminal down to the point the attack will be abandoned.
And if there is a breach the technology (for example, encryption or tokenization) will help reduce the value when the attacker wants to sell it.
It’s an organiation’s “duty” to use technology to disrupt the business of hacking on a continuous basis, says the report. “It is critical that an enterprise determine which technologies will be most effective at disrupting the adversaries targeting their unique business.”