Beyond Cybersecurity. Kaplan James M.
Чтение книги онлайн.
Читать онлайн книгу Beyond Cybersecurity - Kaplan James M. страница 6
Equally critically, industry associations and voluntary groups will have to enable companies to share intelligence, disseminate best practices, align on how to address challenging issues, and eventually create shared utilities to provide important cybersecurity functions.
At the same time, financial institutions and insurance companies could support progress by creating markets for pricing the risk of cyber-attacks.
The final two chapters of the book discuss how leaders can advance the cause of digital resilience. Chapter 8 describes how companies can design and launch a cybersecurity program that will sustain progress. Chapter 9 addresses the role played by the broader set of players in the digital ecosystem – including regulators, vendors, and others – in facilitating the path to digital resilience.
Sustaining the pace of innovation and growth in the global economy in the face of determined cyber-attacks will require dramatic change. Companies must make the transition from managing cybersecurity as a control function to implementing the practices required to protect information assets into their business processes and their entire IT environment. In addition, regulators, technology vendors, and law enforcement must collaborate with companies to create an ecosystem that facilitates digital resilience. Changes of this scale and complexity cannot be achieved without the active engagement and participation of the most senior business leaders and policymakers.
1
Cyber-attacks Jeopardize Companies’ Pace of Innovation
All business investments require trade-offs between risk and reward. Does the interest rate on a new bond issue adequately compensate for the risk of default? Are the potential revenues from entering a new emerging market greater than the risk that the investments will be confiscated by a new regime? Does the value of oil extracted via deep-water, offshore drilling outweigh the chance of a catastrophic accident? Tough questions must be answered by weighing up the business imperatives against a calculation of the risk – and the greater the risk, the harder it is to make the case for investment.
Technology investments are no different. They, too, have always been a trade-off between risk and return. However, for enterprise technology, increased global connectivity is raising the stakes on both side of the equation. The commercial rewards from tapping into this connectivity are enormous, but the more tightly we are connected, the more vulnerabilities exist that attackers can exploit and the more damage they can do once inside. Therefore, when a manufacturer invests in a new product life-cycle management system, it is making a bet that the system will not enable the theft of valuable intellectual property. When a retailer invests in mobile commerce, it is betting that cyber-fraud won’t critically damage profitability. When a bank invests in customer analytics, it is betting that the sensitive data it analyzes won’t be stolen by cyber-criminals. The odds on all those bets appear to be shifting away from the institutions and toward cyber-attackers. They could swing decisively their way in the near future given most companies’ siloed and reactive approach to cybersecurity.
Our interviews with business leaders, chief information officers (CIOs), chief technology officers (CTOs), and chief information security officers (CISOs) indicate that concerns about cyber-attacks are already affecting large institutions’ interest in and ability to create value from technology investment and innovation. Potential losses, both direct and indirect, reduce the expected economic benefits of technology investments, as do the high cost and lengthy time frame required to build the defense mechanisms that can protect the organization against a growing range of attackers. In short, the models companies use to protect themselves from cyber-attack are limiting their ability to extract additional value from technology.
RISK OF CYBER-ATTACKS REDUCES THE VALUE OF TECHNOLOGY FOR BUSINESS
Concern about cyber-attacks is already having a noticeable impact on business along three dimensions: lower frontline productivity, fewer resources for information technology (IT) initiatives that create value, and – critically – the slower implementation of technological innovations.
Compared to even a few years ago, companies have many more security controls in place that limit how employees can use technology. They prevent users from installing applications on their desktops. They turn off USB ports and block access to consumer cloud services such as Dropbox. They prohibit executives from taking their laptops to certain countries or require that the laptop be reimaged on return. Layers of security controls can even make turning on a desktop or laptop a prolonged and frustrating process at some companies.
Cybersecurity teams may have good reason to implement these measures. Unknown applications can contain malware that antivirus programs can’t detect. USB ports can be a source of infection, and both USB ports and consumer web services can be a mechanism for inappropriately copying sensitive data.
Employees, however, can see such measures as draconian. Worse, they can directly affect productivity and morale. The salesperson can’t hand a USB stick with a video about a new product to a potential customer. The executive traveling overseas has to spend time copying her contacts onto another disposable phone before the visit and is unable to access Skype from her laptop to speak to her husband back home while away.
Security controls also limit frontline experimentation, which has been the source of so much of the value users derive from IT. In the 1980s, the first bankers who started using Lotus 1-2-3 to construct pro-forma models didn’t have approval from corporate IT. Twenty years later, IT had no idea that small groups of executives had started using Blackberries to communicate with one another. Today, such innovations would be an explicit violation of most large companies’ information security policies.
As a result of these factors, 9 out of 10 technology executives say cybersecurity controls have at least a moderate impact on end-user productivity; in the high-tech sector, 60 percent say the impact on productivity is a major pain point. A senior technology executive at a large bank said that if the CEO realized how many hours were lost as employees struggled with security controls, “he would hang us all.” The CISO for a high-tech firm said he was convinced that the security controls he had to put in place contributed to talented engineers leaving the company.
Unfortunately, in many cases, restrictive security controls do not even solve the initial problem. They can lead users to circumvent corporate IT entirely, ironically increasing the risk dramatically. For example, at one securities firm, many bankers became so frustrated by long boot-up times and other controls that they stopped traveling with their IT-issued laptops. Instead, they just bought cheap laptops with no security controls and used free web-based e-mail services to communicate with each other.
Even government employees find workarounds. In a 2010 survey of U.S. federal officials, just under two thirds said security restrictions prevented them from getting information from some websites or using applications related to their jobs. The solution: using a nonagency device to access the information they need. In fact, more than half said they accessed information from home instead of from the office to get around the security controls.5
Direct cybersecurity expenditures are small compared to overall IT budgets and business revenues, but cybersecurity still diverts resources away from IT projects that create value because of the downstream effects it has on other IT functions such as application development and infrastructure.
Конец ознакомительного фрагмента.
Текст
5
Rashid, Fahmida Y., “Cyber-security Hurts Federal Government Productivity, Survey Says,”