CEOs AND CYBER DEFENSE: THE NEW REALITY. Top executives need to be the main drivers of effective data protection for their companies

Transcription

1 SPECIAL ADVERTISING SECTION businessweek.com/adsections S1 CEOs AND CYBER DEFENSE: THE NEW REALITY Top executives need to be the main drivers of effective data protection for their companies It wasn t long ago when getting hacked meant headaches mainly for a company s IT team. Top-level executives could often remain aloof from such bit-and-byte affairs and trust their tech wizards to squash any crisis before it became a true business concern. Those days are gone. Today, cybercrime costs businesses almost $450 billion globally, and $100 billion in the U.S. each year. And those figures are rising. The 2015 Cost of Data Breach Study by IBM and the Ponemon Institute, a research center that focuses on privacy and information security, reported that the average total cost of a data breach for companies with at least 1,000 employees is $15.4 million per company a 19 percent increase from 2014 s study ($12.7 million) and an 82 percent increase HIROSHI WATANABE/GETTY IMAGES

2 AD Preoccupied with cyber threats? That s where AT&T can help. We proactively monitor our entire network and respond to potential threats in near real-time helping to protect your business everywhere you do business. Leaving you free to focus on what matters most. AT&T Business Solutions att.com/security 2015 AT&T Intellectual Property. All rights reserved. All other marks used herein are the property of their respective owners.

3 SPECIAL ADVERTISING SECTION businessweek.com/adsections from And this is just an average; some companies were hit with losses as great as $65 million. The frequency of cyberattacks continues to rattle nerves. Last year alone saw mega-breaches of large companies such as Staples (in which hackers compromised the data of more than a million customer credit cards), Home Depot (affecting 56 million customers and costing $62 million), JPMorgan Chase (endangering the data of more than 83 million homes and businesses) and ebay (exposing more than 145 million user records). Such attacks have emphasized a new reality for companies. The Sony hack (which led to a reported loss in excess of $100 million) and 2013 s massive Target breach ($150 million) resulted in two chief executives Target CEO Gregg Steinhafel and Amy Pascal, Chairperson of the Motion Pictures Group at Sony Pictures Entertainment losing their jobs. The message to CEOs is clear: Poor cybersecurity can now get you fired. This makes cyber safety a core responsibility for CEOs, rather than a function delegated to CIOs and tech divisions. While the new do-or-die situation has snapped many in the C-suite to attention, far too many still don t know how to best lead their organization s risk management efforts to meet the new challenges. Asking the Right Questions Now that cybersecurity has shifted from just being an IT responsibility to a boardroom issue, senior directors are looking to the CEO to manage these risks, says Davis Hake, Director of Cybersecurity Strategy for Palo Alto Networks, a leading cybersecurity firm based in Santa Clara, Calif. But we have a lot of business leaders coming in and saying they don t know enough about their company s technical capabilities to effectively address these threats. Getting a bottom-up view of your company s cybersecurity risks is the first order of business (see sidebar below). The S3 A Bottom-Up View of Risk With the help of DHS, Palo Alto Networks crafted five questions for CEOs to ask their technical team before an event occurs 1 What is the current level of cyber risk to our company? What is our plan to address identified risks and prevent worst-case scenarios, such as a breach of intellectual property or customer data? This starter should immediately illuminate where you need additional investments. 2 How is our executive leadership informed about the current level and impact of cyber risk to our company? You re asking what process raises the red flag for cybersecurity issues day-to-day. Often, no process exists at all. 3 How does our cybersecurity program apply industry standards and best practices? Learn whatever you can from others who have already gone through these paces. 4 How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? In essence, you re trying to gain perspective on the risk by asking, What s a normal day, and what s a really bad day in cybersecurity? This will help you understand the baseline for future crisis planning. 5 How comprehensive is our cyber incident response plan? How often is the plan tested? In the unfortunate event of a breach, testing the plan will help avoid panic, which is the worst thing a company and its leadership can do. It can tip off the criminals, forcing them to smash and grab your data, or go deep underground to plant backdoors into your network where they re much harder to find and fully remove.

4 AD

5 SPECIAL ADVERTISING SECTION businessweek.com/adsections S5 U.S. Department of Homeland Security worked with executives to create five simple questions that a CEO could ask his or her technical team to help start this discussion within their organization, says Hake, who was the Director for Federal IT Security at the White House before joining Palo Alto Networks. Importantly, CEOs need to ask these questions well before an event occurs. CEOs should also be certain that all key members of their team the chief information officer, chief security officer, chief risk officer know their roles if a breach occurs. Companies often forget to include their general counsel, chief financial officers and director of corporate communications. If you ve faced a significant breach, corporate communications is key because public response will dramatically affect your brand perception, says Hake. Palo Alto Networks wants to change the focus so that companies are not just looking at incident response plans, but looking more and more at what they can do to prevent cyberattacks by using the right people, processes and technology. By helping entities adopt a prevention mindset and not view cyber risk fatalistically, we are all working to move us to a time when successful cyberattacks will be the exception and not the norm, Hake explains. The CEO s involvement in cybersecurity processes isn t just a modern necessity, it s an obligation. This goes well beyond technology, and nobody else in the company is going to understand what is most important for the business as well as the CEO, says Hake. Safeguarding data involves people at every level. Are employees being effectively trained? How are managers communicating risks and safety measures? Are you ensuring that when someone leaves the company, their user rights are revoked? This is just one of many items that need to be assessed. CEOs need to think about the cybersecurity risks to their business in a holistic way. Using the Right Virtual Strategy The seismic shift to the cloud is a major factor in cybersecurity, and one that CEOs can t afford to ignore when leading the efforts to mount a solid defense. The data, applications, information and assets that were once closely managed inside the walls of a company are now rapidly moving out to the cloud platforms Cybercrime costs businesses almost $450 billion globally each year, and $100 billion in the U.S. And those figures are rising. and mobile devices, says Jon Summers, Senior Vice President of Growth Platforms at AT&T. This reality has created a far more dynamic business environment in which the legacy perimeter security defense models are no longer sufficient. Many businesses are still failing to adequately protect their virtualized assets, however, and cybercriminals are exploiting this weakness aggressively. It s one reason why a virtual security model is the cornerstone of the cyber defense strategy AT&T is creating for clients worldwide. In moving to cloud-based security strategies, we can decouple security software from the hardware in order to quickly innovate and scale security capabilities in a more elastic and rapid way, Summers explains. In a virtual security model, security functions can be deployed wherever our customers are conducting business, extending the security perimeter around any asset, anywhere. The agility of cloud-based security also allows businesses to quickly scale their defense capabilities when a threat strikes, which is extremely important given today s dynamic threat environment. Historically, it could take weeks even months to fully upgrade a network with the latest versions of hardware and software technology to address new threats. With a virtual security model, a client is able to leverage the benefits of new solutions in a fraction of that time. Such rapid scaling is a survival necessity for many companies, such as large retailers, that must handle customer transactions with speed and reliability. As attacks grow in frequency and impact, it s important that businesses have an ability to rapidly scale their cyber defenses, Summers explains. By scaling quickly, they can offset those threats and stay focused on their core business. Virtual security functions are a critical component of an end-to-end security strategy. Businesses should focus on protecting end points, network connections, and their applications and data. This approach helps to ensure that all potential vulnerabilities are addressed. We ve built our security business on top of our global network foundation, says Summers. This is a real advantage for AT&T in the marketplace. It enables us to deliver security functions in-line with the network. In addition, we see over 100 petabytes of traffic every day across our global network. We monitor the traffic and can identify anomalies that we then translate into real-time actions to help protect our customers, explains Summers. With cyberattacks increasing in frequency, scope and sophistication, business leaders must be smart about looking outside their own walls for allies in building a cohesive defense. CEOs who don t yet fully grasp the broader business implications of cybersecurity may be inclined to go it alone, says Summers. However, it s important to work with trusted partners who can augment a company s capabilities to ensure they have best-of-breed solutions in place, with the right depth and breadth for the risks the business is facing. Finding the Right People Because modern hackers are highly trained with cutting-edge technical skills, the only way companies can fight them is with pros of equal caliber. Resources for such talent can be hard to find, as many traditional

6 businessweek.com/adsections SPECIAL ADVERTISING SECTION computer-science curriculums haven t kept pace with the rapid changes in the landscape. One notable exception is the University of Maryland University College (UMUC), an institution with nearly 84,000 students internationally that has catered to working adults seeking real-world training and degrees, not bound to classroom instruction, since In 2010, UMUC began offering several bachelors and masters of science degrees in the cybersecurity field, as well as certificate programs. It now has more than 8,000 students across all of its cybersecurity programs. Many students have jobs in IT or are already working in cybersecurity or related fields, and we also have active-duty military personnel, veterans and career changers, says Dr. Emma Garrison-Alexander, Cybersecurity Program Chair in the graduate school. We ve developed a curriculum that can cover all of their advanced higher education needs. Students are taught by high-level professionals that work on the front lines of cybersecurity, including, CIOs, CISOs, COOs and VPs from such companies as HP, Mantech and Verizon, as well as a former Chief Information Security Officer and CIO from the Department of Homeland Security and cyber experts from the National Security Agency. Importantly, remote learning doesn t compromise the state-of-the-art tools students can access. The classes provide labs that students access online, with simulators that give them hands-on technical experience no matter where they re located globally, says Jeff Tjiputra, Program Chair of UMUC s undergraduate cybersecurity programs. The faculty delivering our cybersecurity programs comprises scholar-practitioners, adds Garrison-Alexander, who is herself a former federal CIO. All are currently working in the field, with deep technical backgrounds in cybersecurity, so they re living and breathing this every day. They also have the scholarly bona fides, as almost 90 percent of UMUC s cybersecurity professors at the graduate level hold doctoral degrees. As a result, the UMUC cyber programs have been designated as a National Center of Academic Excellence in cybersecurity and defense by the National Security Agency and the Department of Homeland Security. This designation is a gold standard for cybersecurity education. Aside from the technical and forensic aspects of cybersecurity, UMUC s programs cover the legal, ethical, business and policy considerations of advanced modern data protection, as well. Armed with this knowledge, the graduates who are heading to the front lines of this ever-evolving battle can rely on a solid foundation for the new level of informed decisions the business world now demands. Ron Geraci I FOUND ANOTHER WAY TO SERVE. THAT WAS MY MOMENT. Scott Green Undergraduate Cybersecurity Student PROGRAMS IN HIGH-DEMAND FIELDS AD After being injured while serving his country, Scott experienced his Moment when he found another way to serve by pursuing his undergraduate degree in cybersecurity. He wants to make a difference by learning the proper techniques, policies, and procedures to protect and defend information systems in local and broad-based domains. UMUC can help you transition to your post-military career in high-demand fields with Bachelor s and master s degrees in cybersecurity, information technology, business, public safety, and more Up to 90 credits for military service, industry certifications, and DANTES and CLEP exams, saving you time and money More than 140 classroom and service locations, including military installations throughout the world UMUC is the No. 1 university for veterans.* Visit military.umuc.edu/bloomberg to learn more. *Military Times ranked UMUC No. 1 in its Best for Vets: Colleges 2015 annual survey of online and non-traditional colleges and universities. Copyright 2015 University of Maryland University College