Security Experts:

Why Bad Security is Bad Business

Business leaders need to take note quickly, and learn to recognize that information security risks are real risks to their success.

Security professionals are often seen as being difficult to deal with. They can be perceived as throwing a spanner in many a good idea, and their incessant demands and the restrictions they try to impose can seem like an artificial bottleneck on getting something to market or into production rapidly. Often, we are accused of not being “business-minded”, or something to that effect. Let us take a little time to gloat and at the same time throw that ill-conceived misconception on to the bonfire of myths and old wives tales.

Some estimates had put the total cost of the infamous Sony attack to be upwards of $24 billion. More difficult to quantify is the accompanying brand damage. Sony announced a 2011 annual loss of $4 Billion, which admittedly cannot be entirely blamed on that security catastrophe, but without a doubt did play its part in contributing towards the total loss. This breach came at a time when Sony has already been struggling to compete against newer market participants in other areas, and needed its entertainment arm to perform strongly to offset this more than ever.

Security Risks to BusinessRecently, Global Payments, Inc. was removed from Visa’s PCI compliant service providers and saw a 9% drop in its stock price after it suffered a data breach in March 2012. This happened to a company that earns its bread and butter primarily with card processing, and still did not do what was necessary to protect its core business.

VASCO Data Security managed to lose the $13 million it paid to acquire DigiNotar, after it went bankrupt in 2011 and had to wind down to the tune of a further $5 Million after a cyber attack forced it out of business

Nortel Networks was the victim of decade long industrial espionage targeted at its actual Intellectual Property rights and development data. Nortel now does not exist. In its day, it was one of the largest suppliers of telecommunications and network equipment in the world.

I am a layperson when it comes to business, but to me it seems like bad security is really, really bad business.

Looking at the average cost of a data breach, who is more business minded? The security professionals that may have prevented these high-cost, brand and capital destroying disasters; Or the business professionals that made the bad business decisions that ultimately prepared the stage for these breaches?

If that is being business minded, I will take the accusation of not being business-minded as a well-intended compliment. I may be naïve, being only a security guy, but I have always worked under the impression that practicing good business means that you create something that is scalable, that is sustainable, that avoids making unnecessary huge losses and if possible, tries not to gamble with the good data and thus the brand love and loyalty of its customers. That sounds like bad business in a nutshell to me.

The problem, as most problems of this nature usually are, is based on history, tradition and of course ignorance. Business thinking has not yet evolved to be aware and take into account the new challenges and demands on strategy and operations that these wide-sweeping changes in how we communicate and use technology have ushered in, even while the consequences of the failures to adapt are visible in plain sight for all to see.

Business schools barely touch on Information Security or Information Risks. That is a fatal shortcoming in this new world of ours, where so much business is now conducted digitally and virtually that the economy would grind to a standstill if the net was unavailable even for a short while. The world has evolved and progressed. Commercial interests have been quick to jump on the possibilities this has opened, stamping out and saturating entire new markets out of thin air that a decade before were just the ravings or fanciful notions of some hardcore geek. Yet businesses are still struggling with the other consequences of this evolution and have yet to acknowledge that we are not in Kansas anymore.

There is much talk of the modern CISO having to be more business savvy, and how the role should be focused on being business-enabling. I say that is 20th century thinking at its worst, and it stems from a complete lack of understanding of where we are and especially of where we are actually going.

I don't buy into the argument that the aim or intended task of security is to enable business. It is meant to ensure that your data, your IP, your communications, your assets, are adequately protected, that stockholder value is sufficiently guarded, and that the business can thrive for many years to come.

Nor is it really just up to the CIO or other security staff to make a company secure. Security has to be in the fabric of an organization, or it will never be holistic, and thus effective. Any other approach will lead to a business with security; but not to a secure business. The successful business leader of the future will have to be more security aware, and will have to be more mindful, considerate and respectful of information security and its implications than ever before.

This is not a matter of a lack of training or insufficient time either. Security awareness is not a skill. It is a mindset. A mindset born out of an understanding of the risks and problems involved and the resulting “informed paranoia” that develops when you do so. And that mindset is now a business requirement in and of itself, if you want to run a business in this day and age, and even more so in the future.

We are on the precipice of a new age that will fundamentally change the way the world functions, communicates and organizes itself. We are currently only seeing the shadow of it, but it already provides a glimpse of the outline of what is to come, and boy, it is a major cataclysmic paradigm-breaking game changer. Businesses will have to evolve quickly to adapt to this new era, because failure to do so will spell the end for any organization that does not, be that with a big bang or with a whimper.

In that light, the outlook for many companies based on recent events and current attitudes is not particularly good. Security is considered an extra cost without measurable benefit, an afterthought or something to implement to be compliant.

A good analogy is the Dodo. That the Dodo is extinct is well known, but less discussed is how it came to be that way. Its habitat was the Island of Mauritius, where for many millennia it lived a carefree life without fear of predators or much competition aside from other Dodos. Life was simple, life was good, leaving the Dodo to live carefree and concentrate on finding food. Then times changed drastically, and in disaster for the poor, carefree, oversized bird. Man found Mauritius, and with Man came dogs, pigs, rats, and a variety of other threats and competition that the Dodo was not suited to come to terms with.

There are stories that it was possible to walk up to the Dodo holding a club, and it would watch you beat it to death, not knowing any danger or sense of risk. Much like most victims of an SQL Injection attack really. Roughly a century after the first recorded accounts of the Dodo, it ceased to be; extinction left only some bones and few plaster casts to wonder about. And that despite the fact, that their meat was described as rather badly tasting.

We are in a similar situation. Barely 20 years ago, there were no mobile phones in day-to-day use, offices still did almost everything on paper, and networks were usually intended to carry faxes and print jobs. Now we are not isolated anymore, and left in peace to live our carefree little lives with no outside pressures.

No stockholder, customer or voter wants someone in charge who is unable to understand and assess risk and security, as a hapless and incredibly misguided UK Minister recently had to be reminded of, so it will not take long before the same will come to apply to executives, and business overall by extension.

And when you have enough people, especially ones in the know acknowledge that current business practices in regards to security are unsustainable, you know that someone is already staring at that kind looking, smiling man walking towards him with a club in the hand, wondering whether he may be bringing something to eat.

Cybercrime, cyberterrorism, cyberespionage and cyberwarfare. These are now a permanent feature in the threat landscape, making them actual business issues, with all that that implies.

With security ecosystem predators like Anonymous, Chinese hackers, and Iranian Cyberarmies, foreign intelligence agencies, corporate spies and other less obvious hunters such as the media (as in the case of the UK Newspaper hacking scandals) circling the old, weak and lame in the herd, natural selection will kick in with a vengeance. As in nature, when a new eco niche is introduced, the food chain soon begins to establish itself and finds equilibrium, with those players not able to adapt quick enough, providing easy prey for the others.

Management and business leaders will have to take note quickly, and learn to recognize information security risks as real risks to their success, or they will go the way of the Dodo.

Related Reading: Raise Your Company's Enterprise Risk Management IQ

Subscribe to the SecurityWeek Email Briefing
view counter
Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.
view counter