With one of the world’s biggest brands filling headlines for all the wrong reasons, David Reed looks at how information security got the board’s attention in a hurry - and what has changed in the way it gets aligned with the business and data governance.
Sony’s ongoing information security problems have probably done more to put the issue onto the boardroom agenda than any amount of legislation. Hacking attacks on the entertainment giant’s systems brought with them two attention-grabbing elements - firstly, the £140 million costs which Sony has so far attributed to the breach, and, secondly, the image of its divisional leaders facing the humiliation of having to bow and apologise in public.
For a company reeling from the impact of the Japanese tsunami and massive losses arising from that event, being forced to close key services in global markets has been an unwelcome addition to the corporate “to do” list. Other CEOs watching the company’s problems will have been grateful that it was not them occupying the daily news schedules.
Yet any complacency about corporate information security is mis-placed. Sony’s initial response to the first attack on its PlayStation Network was to upgrade technical security and change its data centre. But it also appointed the company’s first chief information security officer - a step towards adopting a broader data governance culture.
This looks to be a tipping point. Hackers are good at working out ways around firewalls in order to extract data. If personal information is not left in plain view - on an old database or in text files as happened in two of Sony’s breaches - that extraction becomes harder.
“It is right to say that data governance is gaining more recognition in senior business levels over the last couple of months,” says William Beer, director, OneSecurity, at PwC. “There is a growing recognition from business leaders that they need to be more involved in decisions about information security.”
What is notable about this new focus is that it is driving changes in how the problem is resolved. “In the past, when companies thought about information security, they thought of IT security. Now they are addressing processes as well as technology,” says Beer.
The status and line of reporting is also changing. In the past, if a chief information security officer was in place, the report was to the chief information officer. Increasingly, CISOs are getting a direct board-level report, or work to the chief privacy officer. “There is a move towards board level,” notes Beer.
Hardly surprising if it is those senior executives who could end up in front of the world’s media in the event of a data breach. But it also reinforces the fact that people and processes are what help to keep data safe, not just technology. When staff handling data know that it has the attention of the CEO, they are more likely to take the right steps to protect it than if the consequences are just a ticking off by the IT director.
At the same time as this positive shift is occurring, Beer notes that another challenge is emerging. “More work is needed by CISOs. They need to steer clear of jargon in order to be understood by business leaders,” he says.
This theme was picked up by Paul Wood, group chief security officer for Aviva, in a presentation he gave at the Information Security Leaders conference in February. Recognising that CISOs have historically been viewed either as getting in the way of business processes or as nerds (or a combination of both), he addressed the question of credibility.
“The position you hold and the way you are viewed within the company will inevitably impact your influence with the board and senior management team,” he told delegates. “How you network and engage with key stakeholders in all that you do will determine the way you are judged.”
One unfortunate fact of life he pointed to is that a single badly-handled event will undo all the work of dealing well with ten other events. This is true both for the team leader and those working underneath. In trying to build up the right resources, skills and status to avoid those problems, Wood argues that CISOs need to learn how to be leaders themselves.
That means aligning the needs of the function with the overall business case. In some respects, recent data breaches are making this easier because of the link between information security and customer pressure. “Customers expect more from the private sector,” said Wood.
“Today, the biggest challenge for us is doing more for less. The business is expecting more, expecting to react faster to market changes, and expecting the security specialists to deliver more but with less revenue,” he said. Showing that further information security measures can deliver a business benefit has therefore become crucial.
As well as getting the right business case, Wood stressed that CISOs must be able to present it well, including staying on the agenda and expecting to be challenged. “Know your subject and your audience. One of our non-execs is a technology director at Google, one sits on the audit committee of another financial institution,” he said.
The developing needs of information security specialists are only a response to the way the threat profile is changing. “Knowing what’s coming around the next corner is my biggest concern. We are always alert to vulnerabilities and weaknesses in software that are detected and exploited by hackers and criminals to take advantage or steal intellectual property,” said Wood. “It’s what keeps me awake at night and is one of the biggest challenges as a chief security officer.”
By bringing information security to the top of the corporate agenda, the Sony breach has also helped to reveal just how much has changed in how organisations need to manage the problem. It is not just the skills set, language or executive support that has moved on - so has the scope of what information security needs to address.
Root causes for any data loss or breach have to be understood if the organisation is to prevent any repetition. That is very different from just adding more layers of technology, which was the first response by Sony. It means looking at the people and process issues as well, possibly leading to significant organisational changes.
Adrian Gregory, chairman, DQM Group and also chairman of the DMA Data Governance Working Party, says: “The key message for me here is that the criminal hackers will always win. It's not if you get hacked, but when. And how you respond to that data breach is important.”
“The more professional and well-managed a response to a data breach, then the less the damage to brand and reputation - although be in no doubt that damage will happen,” he says. One of the issues about the way Sony dealt with the hacking attacks is whether it moved quickly and transparently enough to deal with the intrusions and tell data subjects that their information might have been compromised.
“Subsequent revelations - such as the possible theft of credit card details from some parts of the SOE enterprise - have cast doubt on the effectiveness of their initial investigation and response,” says Gregory. Sony has seen its share price fall by 26 per cent (although broader financial problems have driven much of that).
Damage to the company’s brand value may take longer to register. In the Interbrand Top 100 report for 2010, Sony was ranked 34th with a brand valuation of $11,041 million. While this was already a fall of 5 per cent on its 2009 value, that was largely due to increased competition in its key marketplaces. Having put over 100 million customer records at risk of fraud, this year’s brand valuation will surely show a steep fall.
Gregory believes that organisations can help to mitigate such damage if they see a breach as a genuine opportunity to learn and improve. “Getting to the root cause of what went wrong and can go wrong through a thorough risk assessment is crucial to ensure the risks of subsequent breaches are minimised,” he says.
He adds that: “The threat of hacking shouldn't be over-played. In our experience, most data breaches - over 80 per cent according to Forrester - are due to people and process failures. Many organisations could greatly reduce their exposure to the kind of brand damage suffered by Sony and others if they had more effective processes in place and improved staff training and communication.”
To start on these improvements, organisations need to get a better grip on what is actually happening within the business and how it is affecting information security. As PwC’s Beer says: “They need to put in place hard metrics to demonstrate to business leaders how things are improving.” To sustain the business case for investment, the organisation will want to know that things are getting better, risks are reducing and staff are conforming to correct processes.
Security metrics have been a subject of debate for some time. Information is already available to help build them, such as log data, intrusion detections, benchmarking and baselining. By bringing these disparate strands together into key performance indicators, better insights into information security can be gained.
“Organisations we are working with are looking to benchmark against their peers to understand how they are performing against other industries. Interest in benchmarking is growing,” says Beer. PwC has been building a knowledge base and skills set in this area for some years and is well equipped to provide these kind of metrics.
Ross Brewer, vice president and managing director of international markets at LogRhythm, also notes that companies have to start using the management information they have better and aligning it with how they respond to problems. "What’s interesting about this latest Sony attack is that it is the hacking group, rather than Sony itself, which has disclosed the breach. This raises the question - did SonyPictures.com even know that its network had been compromised? Perhaps it did know, but decided not to disclose it. Either way, it will be a major worry to consumers who have entrusted the company with their personal information,” says Brewer.
He adds: "Sony needs to take drastic and immediate action to step up its IT defences if it is ever going to restore consumer confidence in its services. At the moment, you can’t believe that anyone would happily hand over their password and date of birth to Sony for safe keeping. Indeed, LogRhythm research has found that two-thirds of UK consumers would try to avoid future interactions with organisations which have lost confidential data, while 17 percent would never deal with them again.”
Losing customer trust is a straight line to losing revenue. From there, as the bottom line suffers, the share price will too. CEOs are most twitchy about how the market in general views the business and what share analysts are telling investors in particular. If a link can be made between getting information security right and growing the market capitalisation, a new way of working will have grown from the root upwards.
Information security is most often viewed in terms of technology. Yet the best way to secure valuable and sensitive personal data is when everybody in the business understands the difference between good and bad security and how their actions might put data at risk.
Regular risk assessments are essential to understand where the organisation faces exposure and where resources should therefore be focused. This can be achieved by creating a relatively simple matrix of the probability of a problem arising (low/medium/high) and the level of impact it would have (low/medium/high). Rather than trying to cover all nine bases, the business can deal with the highest first, then the medium-highs. (A useful spreadsheet tool for such an assessment can be found on the DMA’s website at www.dma.org.uk/docframe/docview.asp?id=5881&sec=-1.)
Mitigation of risk can then be introduced by setting appropriate controls for that data, which might be access, usage or other limits to what users can do. Training is essential to ensure that staff understand their personal responsibilities. They also need to know that any penalties or sanctions for breaking controls will actually be enforced. This might include dismissal for serious breaches.
All of these elements of the information security plan need to be extended to third parties and suppliers as well. Unless external contractors or data processors are working to the same standard, the company puts itself - and its brand - at risk from a failure. This is what many UK retailers learned to their cost when Epsilon suffered an email data security breach earlier this year.