For many organizations, network security is still considered a technical cost-center that is approached from the standpoint of compliance and an anticipated return on investment, with little consideration of the very real threat to overall enterprise risk.
The continued underestimation of the impact a data loss event can have on the viability of an enterprise is of particular concern when publicly traded companies are considered, as individual and commercial investors have little or no idea how such an event will affect shareholder value.
Just ask the investors at Heartland Payment Systems (HPY), who are only now seeing the company stock prices approach levels anywhere near the pre-breach announcement, and the effects of the event are far from over.
As the responsibility for mitigating all enterprise risk ultimately lands on the lap of the Chief Financial Officer, it's time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak.
Fundamentally, IT systems security is at the heart of all enterprise risk abatement, and CFOs need to recognize they are way behind the curve in this respect when it comes to protecting their company and the bottom line.
And it's not just the CFOs who are fumbling the ball. The problem also stems from the inability of security professionals to effectively translate the message of vulnerability into the language of the boardroom: Risk.
Jeffrey Carr, who consults with U.S. and foreign governments on cyber intelligence matters and is the author of Inside Cyber Warfare, had an article in Forbes that should serve to keep CFOs up nights; however, it will probably go largely unnoticed.
If you are a security expert, there are no surprises in what Carr has to say, as these simple "knowns" are the most basic tenets of information security:
- You cannot protect all your data
- You cannot stop every attack
From the security expert's perspective, these facts are the driving force behind everything they do in their professional capacity on a daily basis, yet this is not the message being conveyed to the CFO.
Stark realities such as those Carr pointed out just don't return larger security budgets, as gloom and doom is generally unappetizing to the spin-happy executive level who are responsible for communicating risk levels to both regulators and investors.
Carr goes on to say in his article, "Once you understand that you cannot stop every attack, and that the attacker has a vast advantage over the defender, the next logical action to take is to reduce the number of attack vectors that a potential adversary may choose from."
Again, this is security 101, but for CFOs this should be a revelation. When the simple truth that critical systems can really only be defended and not wholly protected from interlopers is considered across the broad spectrum of industries that comprise our economy, the implications are staggering.
Even in the midst of ever-larger data breaches and the sharp uptick in cyber-related criminal activities, sectors like communication, finance, healthcare, legal - and those that govern our critical infrastructure like the emerging smart grid - are rushing headlong into the implementation of systems that dramatically increase the risk of a serious security event.
It's time for a serious discussion regarding the true nature and very real implications of technology inspired risk, and it's time for security professionals to deliver a clearer message on the actual state of network and system vulnerabilities.
It's also time for CFOs to fully account for the expansion of risk in the digital age, and to accurately estimate the potential impact on shareholder value.