Information Risk Management in the Digital Age
Information security dominated the headlines throughout 2017, with debate over the impact of hacking on the US presidential elections and major new data breaches suffered or revealed at Equifax, the Republican National Committee, Yahoo!, Uber, the CIA, and Whole Foods, among many others. By February 20 when the Roundtable on Digital Strategies convened to discuss information risk management, successful cyber attacks had taken place or been revealed in the first 50 days of 2018 at Aetna, AllScripts, Partners Healthcare, FedEx, and the Department of Homeland Security. Facebook’s data scandal hit the news two weeks later, and as this overview was in final edits, Delta, Sears, Best Buy, and Kmart announced customer data breaches, all enabled through use of the same third-party website chat technology.
With a backdrop of heightened awareness, the Roundtable gathered at the headquarters of Sysco Corporation in Houston to spend a full day discussing cybersecurity. Topics included changes in the threat landscape, their interactions with developing digital business models, different approaches to enterprise protection, and the evolving role of information security organizations and their relationships to the broader enterprise. Participants included CIOs and information security executives from ARC, the Bank of Queensland, Chevron, Eastman Chemical, Eaton, Elsevier, Sysco, Tenaris, and Tetra Pak, and the Dean of the Owen Graduate School of Management at Vanderbilt University, as well as Executive Fellows and the Directors of the Center for Digital Strategies of the Tuck School of Business at Dartmouth College.
The Roundtable on Digital Strategies meets four times a year to discuss a specific business issue or theme. In focused discussions that cut across organizations and industries, participants from noncompeting member corporations examine meaningful business issues and topical challenges they have in common. Executives come away from the day-long experience with new ideas and approaches to specific challenges—the kind of creative assessment that arises only from diverse perspectives.
Key Insights Discussed in this Article:
- Hacking has been commoditized and put in the cloud. Cyberthreats are increasingly frequent, serious, and existential: Leaked NSA technology, cloud economics, and the participation of wide range of bad actors increase threats, while the digital ecosystem of IoT, cloud apps, and mobile computing increase vulnerabilities, leaving InfoSec caught in the middle.
- Basic cyber “hygiene” is still essential, but today’s environment also requires high-end SOCs. Dependable cybersecurity requires a three-part strategy of: (i) expert technical implementation of the basics; (ii) consistent education aimed at increasing awareness of employees, vendors and executives; and (iii) InfoSec analysts and response teams who are as motivated, skilled and innovative as the bad guys.
- Overly strict security creates a different risk: Throttling information exchange and creativity can threaten a company’s competitive viability. New infosec roles such as Business Information Security Officers can work with business teams to balance security with innovation and growth. Together they can educate management and Boards — who are often uncomfortably far behind on cyber issues.
- The good guys have (finally) started to join forces, too. As recently as four years ago, most cybersecurity collaboration was on the threat side. As flying solo gets more dangerous, sharing infosec experiences and best practices with supply chains, neighbors (through ISOPs), government agencies, industry competitors (through ISACs), and forums such as this Roundtable is proving critical to minimizing the risk of cyberthreats.