“If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked” ― Richard Clarke
Everyone is entitled to his or her view. When it comes to the C-suite, these views need to be shared, debated and ideally directed towards a common goal.
Whilst everyone in the C-suite recognises the importance of keeping company information secure and customer data protected from unauthorised access, each member of the executive suite circle views the topic differently.
Information security, data protection and privacy continue to be areas under the oversight of the chief information security officer (CISO) assuming an organisation can afford the function. But regardless of who holds the title, security is everyone’s responsibility from the C-suite all the way down to the rank and file of the company.
The most recent global threat intelligence report identified three key challenges that organisations are facing today:
Credential theft: Threat actors are starting to target individuals and organisations looking to steal our credentials, Microsoft Office 365, PayPal, and Google.
Crypto-jacking is up 459% year-on-year: Crypto-jacking or software deployed on endusers' devices often goes undetected, using the device’s computing power to mine cryptocurrency, essentially monetising that power usage.
Web application attacks are up 100% increase year-on-year: As organisations migrate to a cloud-based environment, threat actors are starting to target those cloud-based environments as well. Threat actors are interested in because the data plus the identifiable information (our patient data or credit card records) can be monetised in the dark market.
FutureCIO spoke to Mark Thomas, vice president of Cybersecurity at NTT to discuss recurring cybersecurity issues and the role of each member of the executive suite in the protection of that information.
How competent (skills and expertise) is the IT function in the use/securing of operational technology?
Mark Thomas: So traditionally, the IT team has always been left off the discussions with the OT department and this is where we talk about the increased need for greater communication and collaboration.
We have to leverage the skills of the OT team to understand the impact to the business, the importance of privacy, safety, and reliability for OT environments because it can actually cause harm (physical harm) to people and so IT has different skills that have to be used as well, so it’s all about how we integrate those two skill sets to improve the business value to the consumer.
In what situations does a CTO work with a CIO within an enterprise?
Mark Thomas: The CIO of any organisation is responsible for the internal infrastructure, whereas the CTO is the external face to build new capabilities, new products, and new services that they can take to market.
The CIO has to work with the CTO to understand what are the toolsets they need, what are the technologies or underlying infrastructure that the CTO needs in order to build out new products and services.
Can you give me a quick view of what security means to a CFO and CEO?
Mark Thomas: Security to the CFO means reducing losses to the business, reducing financial risk. So, we talked about security providing a return on investment. More importantly, I think security is about reducing the risks and the scope of a breach. How can we reduce the frequency of an incident occurring and how can we reduce the financial repercussions as a result of that breach?
When it comes to the CEO, I think security has to be there by design. We talk about security as being the enabler of digital transformation. It has to be a competitive differentiator.
It has to unlock new sources of revenue when it comes to creating new products and services, and if security is there by default, consumers will want to invest in those types of companies because the data protection and privacy are adequately protected, so it becomes a key differentiator.
Is there such a thing as a one-size-fits-all security model across industry and across function?
Mark Thomas: I’d say there’s no one-size-fits-all when it comes to security standards, and that’s where organisations have to look into working with a trusted advisor to understand what industry they are in, what risks that they face, and what their threat profile looks like.
Then from there, we understand what these security investments need to look like and what the budget has to look like so we can allocate those right investments in technology, processes, and people to manage that risk.