Wednesday, October 7, 2015

Security is Big Business in Massachusetts

By Barbara Bix

Barbara Bix helps business leaders uncover, crystallize, and exploit opportunities to gain the competitive edge.  Twitter: @maxopportunity

Despite the pouring rain, the Mass TLC's conference on The Business of Security: Impacting Your Company's Resiliency, Reputation, andRevenue attracted a large crowd interested in learning more about the evolving role of security in business in general--and opportunities this growth will create in Massachusetts in particular. 

Over the course of the day, participants got the opportunity to hear from thought leaders, practitioners, CEOs of successful MA security companies, founders of startups, and investors.  Perhaps equally exciting, they had the opportunity to discuss shared concerns with both the experts and their peers.  I personally walked away with a lot of great information.

Follow the link above to see the agenda, speakers, and session formats.  Immediately below, I share key takeaways.

Security has become a major issue for businesses
In the past, a lot of the conversations around security happened more among security geeks and technologists.  Today, that conversation is moving into the executive suite and the boardroom as the quantity and business impact of security breaks becomes more visible.  Front-page news articles about breaches at major corporations, and the accompanying losses, has made this issue impossible to ignore.

Security begins with awareness
According to Keynote Speaker, Emily Mossburg, Principal at Deloitte & Touche LLC, security is now on the agenda at Board Meetings and Executive Committee meetings.  This is a propitious time to ask for more people and budgets to protect company data.
Nevertheless, it was apparent from listening to both Mossburg and the other speakers that obtaining the necessary resources will take greater awareness at all levels of the organization--as to both the magnitude and the nature of the problems.  Sam Curry, CSO and CTO at Arbor Networks recommended a surefire way of ensuring that security issues stay top of mind at the board level--add security professionals to your board.

To help build greater awareness, Mossburg recommended speaking to the organization's mission and to leadership's business objectives.  Paint the picture using Gartner studies about security spending and describing the business risk of a single hole.  Help leadership understand the tradeoffs between rapid development--and data protection.  Explain that priorities, such as innovation and data sharing, have placed organizations in "catch up" mode--and that we need to now align the business strategy with security imperatives.

Mossburg also said that we need to change the perception that things aren't improving.  We need to do a better job of expressing progress.  Adversaries are sophisticated and move quickly.  We need to say we have more governance, we have better technology, but we'll never be done. 

When a participant pointed out that not everyone had access to the board, others recommended enlisting partners from other departments to help make the argument.  As examples, they pointed to successes they had had working with Legal, Compliance, and Finance.  Each has a vested interest in greater security--and a lot of experience framing conversations in terms that business leaders understand.

Sales can also help.  Gretchen Herault, deputy chief privacy officer from Nuance, told us that prospective customers often want to know how about Nuance's security practices before they will close the deal.  Failure to provide ready answers can delay the sale and/or negatively impact revenue.

Organizations need to manage security the way they manage other risks
Despite increased awareness, several speakers discussed the difficulty of getting boards to place a priority on mitigating a risk versus generating profits.  They said that executives and boards tend to use financial metrics such as revenue, costs, profitability, and return on investment to measure success or failure--and to compare alternative investments.  Costs associated with risks, and the benefits of risk mitigation, are harder to measure. 

In the case of security risk, costs include prevention, and in the case of a break, restitution of direct financial losses.  They also include less measurable costs such as brand diminishment which has the potential to lead to lost sales and customers, price erosion, and the ability to take on more debt or attract investors.

As one speaker noted, businesses take risks all the time.  It is a question of taking the right risks.  Businesses never secure all risks. It's too expensive. 

Sam Curry said is the same conversation as boards have about opening a business in a new country.  Public companies need to articulate the degree of exposure.  Then, they need to figure out what they can do to prevent risk, what risks are acceptable, what risks they will transfer (for example to suppliers), and what risks they will mitigate.  Businesses need tools, and processes, that will help them manage security risk in the same way that they manage legal risk or operational risk.  

Businesses need to thoroughly review contracts every time they come up for review to ensure they keep current with all the changes that are occurring in our understanding of security risk and prevention.  For example, companies have long used service level agreements (SLA) to transfer risk to software vendors.  Now, they are also implementing risk level agreements (RLA) to transfer security risk.

Technologists need to speak in languages that businesses understand
Another point that came up, in session after session, is that successful execution will depend on technologists learning to speak in terms that businesses understand.  Mossburg said we can no longer talk about bits and bytes.  Mary Buonanno, VP of IT at Steward Health Care, stressed the importance of speaking in terms the business can understand.  At a hospital, she noted, that can mean talking about how a lack of security can harm patients.

Learning a different language starts with immersion.  Speakers recommended arranging opportunities for the people building products to get to really know your customers.  Also, after a breach bring all the groups in the company together to discuss plans for remediation.

Security is a hard problem to address
Securing a company's data is impossible, because there will always be a new threat.  That said security is also a hard problem to address--even within the realms of the possible.

Security is a many-layered problem.  Prior to the Internet, companies could prevent many breaches by physically securing the perimeter and on premise devices such as servers.  Institutions, with higher security concerns, have long employed tactics such as encryption and authentication. 

Today, prevention is much harder.  Data no longer stays within the company boundaries.  Businesses are now highly distributed and decentralized.

Employees use personal portable devices such as laptops and mobile phones that may be out of a company's span of control.  Moreover, many employees work remotely--at least part of the time.
Company departments regularly exchange data with customers, suppliers, and other third parties over whom they have even less control.  Next up is the Internet of Things.  As the Target HVAC breach, for one, has already demonstrated, this innovation will significantly multiply the challenge.

Because security is a many-layered problem, it requires many layers of defenses.  Many speakers warned that achieving adequate security requires awareness and discipline across the organization, at all levels.  All devices, applications, systems, software, and interpersonal activities and interactions are opportunities for exposure.

People are often the stumbling point
Security technology is just the starting point.  Attention to people and processes are equally important.  And because change is hard, and people take the least line of resistance, both technology and processes must be highly usable.

Some industries, such as government, and in particular the Department of Defense, have long made security a top priority.  Financial institutions have also done so--albeit to a lesser degree.  According to the speakers, these industries are further along when it comes to implementing widespread processes to securing data--and training and incentives to increase the probability that people will execute them.

That said most companies are just beginning to address security issues.  One obstacle has been that prevention is burdensome.  It takes time and money.  Worse, it requires compromise, adoption of new processes, and--hardest of all--behavior change.

A few examples of compromises include accepting: slower response times for encrypted data, extended time to market for software that incorporates security features upfront--and time-consuming multi-step processes (such as sending data over a secure network rather than via conventional email, or taking a few minutes, between tasks to file papers containing sensitive data rather than leaving them on a desktop).

In many cases, the technology is there--but awareness, processes, training, and usability need to catch up.  One speaker told us that the vast majority of breaches occur because companies fall behind in applying the software security patches their vendors provide.  Another warned against using open source software which can speed development, but often harbors viruses and other security threats.  A third said that her clinicians worry that security measures will interfere with patient care--especially in an emergency where every second matters. 

These are but a few examples.  One of the participants, at the unConference session I attended referred us to a four-part Fortune article about the Sony breach.  He uses it with his management to raise awareness of the non-technical gaps that lead to breaches.

Advice for managing the people issue
Speakers recommended strategies and tactics for managing the people issue.  Sam Curry recommended equipping people with checklists.  Mary Buonanno and Omar Hussain, CEO of Imprivata stressed the importance of ease of use. 

A number of people pointed to the need to distribute ownership of the problem throughout the organization--and for that matter up and down the supply chain.  As Charlie Schick from Atigeo asked, "How do we get partners to be as paranoid as we are?"


One recommendation was to keep asking questions about people, processes, and technologies. As noted above, many companies now require audit their vendors and suppliers to undergo security audits.

No comments: