Should Information Security be an
essential element of Business Strategy?
CRISIL YOUNG THOUGHT LEADER COMPETITION
PRIYANKA ARORA
XAVIER INSTITUTE OF MANAGEMENT, BHUBANESHWAR
MBA (2015-2017)
Email:
[email protected]
i TABLE OF CONTENTS
Executive Summary ... 1
1. Introduction ... 2
2. Information Security ... 2
2.1. What is Information Security ... 2
2.2. Information Security as a Critical Component of Business Strategy ... 3
3. Investing in Information Security ... 3
3.1 Pitfalls of inadequate focus on Information Security ... 3
3.2. Benefits of investing in Information Security Measures & Risk Mitigants ... 4
4. Key Developments in Information Security- Riding the Security Wave ... 5
5. Preparing for Tomorrow- Way Forward ... 6
5.1 Potential Catalysts and Roadblocks ... 6
5.2. Future of Information Security Architectures in Global Corporations ... 7
6. Conclusion ... 8
ii TABLE OF FIGURES
Figure 1: Business Security Investments ... 3
Figure 2: Strategic Security Initiatives ... 3
Figure 3: Loss of Business Opportunities ... 4
1 Executive Summary
As the need of customers and clients for greater data access is rising in an extremely connected world, the threat landscape in information architectures is also increasing. Many organizations have become aware of such security breach opportunities and have taken sufficient precautionary measures to fortify their information security architecture; however, many of them still undermine the security investments for their organizations.
This paper attempts to assess the benefits and potential of information security architectures in an organization and examine if they are an essential element of business strategy these days. Through extensive secondary research, efforts have been made to identify instances where utility of
information security architecture has had transformational effects on an organization and also how it is making its presence through its key developments and its future potential.
This paper is divided into two broader portions which examine the existing and potential state of affairs of information security. In the initial portion of the report, information security has been explained with its current involvement and benefits in the business organizations. Further, the key developments and the pitfalls of inadequate focus on the adoption of security frameworks has been covered. The latter portion of this report demonstrates the future of the information security architectures along with the potential catalysts and roadblocks in increasing emphasis in this domain.
This paper ascertains that the evolving information security architectures are the need of the hour for every business and must be implemented to have a sustainable competitive advantage.
2 1. Introduction
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
The above statement by Bruce Schneier highlights how with the growing technology, the threat environment has escalated dramatically. Today, the information systems are working on the public and private domains continuously to give us the digital life we are accustomed to. However, as the integration of IS has grown, there is an increased risk that emanates from the extreme reliance on the modern technology upon which the worldwide economies depend upon. To create a defensive system towards various cyber-attacks and manage their sensitive data exposure, information security has become a keystone in almost all businesses.
According to a study conducted by Gerencser and Aguirre [1], in 2002 corporate security stood as a “top management concern” and averaged to 7.5 on a 10 point scale in importance. Among the wide range of risks concerning the CEOs along with the challenging global growth environment, 61% of CEOs are most concerned about cyber threats including lack of data security [2].
According to Gartner [3], by 2018, more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure
management to enhance their security postures. These numbers testify the growing importance of information security for corporations in the wake of increasing cyber-security threats.
2. Information Security
2.1. What is Information Security?
Information Security is designed to handle risk management. According to ISO 17799, “Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”
The US Code [4] probably contains the best definition:
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide - (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3
This definition highlights the harm caused to businesses or people if there is a disruption in integrity, confidentiality or availability of information. It is based on the concept that it is the role of information security to minimize the possibility of such harms. As cyber security incidents continue to proliferate across the globe, there is an increasing acceptance of information security measures among the organizations as it’s becoming clear that management of such threats is more essential than its elimination. Infact, Information Security is no longer just a special interest for those interested in technology but increasingly being considered as a matter of protecting society as a whole.
2.2. Information Security as a Critical Component of Business Strategy
Businesses are becoming aware of the rising information security threats and are investing in core safeguards to better protect their organizations against evolving threats. Below are the snapshots of the involvement of business in security initiatives.
3. Investing in Information Security
3.1. Pitfalls of inadequate focus on Information Security
Many corporations simply endanger their businesses by not incorporating a cyber-risk averse architecture and not spending enough on information security. However, a lack of definite security spending strategy makes the organizations struggling to understand how much to spend on
security and calculate the ROI on their security spend.
In 2007, Sony’s senior vice president, Jason Spaltro, pointed out that "it’s a valid business decision to accept the risk" of a security breach, further adding "I will not invest $10 million to avoid a possible $1 million loss."[5] This economic argument from Spaltro seems logical enough in terms of Rate of Investment achieved. However, if we see the security risk as the product of
Figure 1: Business Security Investments Source: PWC Report[9]
Figure 2: Strategic Security Initiatives Source: PWC Report[9]
4
security breach cost and the probability of its occurrence, we find that both the Cost and
Probability have increased giving a rise to risk in terms of both the fronts. The short-sighted view of Sony in terms of negotiating privacy proved detrimental to it as it faced a major cyber security attack which forced it to shut down the services for some time and tell more than 100 million registered users that their personal data might have been stolen. Looking at the similar past breach cases where security concerns have been neglected by the corporations, we find that companies usually underestimate the likelihood of a breach in their future.
The companies are making trade-offs with the risk management. The point is that while doing so, they must make sure to weigh the implications of negotiating the privacy measures.
Direct Monetary Losses- According to a study [6] by Kaspersky, Damages from one successful targeted attack could cost company as much as $2.54 million.
Damage to Reputation and Value of the Organization- Damage to reputation of the company which may further lead to a stock price drop and loss of investors. Average Reputational Damages could total up to US$204,750 for an enterprise and up to US$8,653 for a small business. [7]
Loss of Business Opportunities- This may arise from the nature and impact of the attack and may lead to loss of revenue and reduced profits. The average enterprise cyber-attack bill includes up to US$58,000
for loss in business opportunities. [7]
Loss of Talent- As in the case of Sony hack
due to bad publicity, many senior executives resigned.
Legal Liabilities- These may arise, for example, from claims by the data subject or third party whose personal or confidential information has been disclosed or publicised. Directors may have personal liability for certain breaches.
3.2. Benefits of investing in Information Security Measures & Risk Mitigants
Malicious attacks and data breaches across multiple industries are a growing concern for businesses, especially in the age of cloud and analytics which have been highly vulnerable to increasing security risks. A data breach can result in huge losses to the organizations that are way beyond the financials and involve the whole brand at stake. Despite this, as per Ponemon [8] Study, only 38 percent of companies have a security strategy to protect their IT infrastructure. Infact, it also reveals that companies that have a strong security posture were able to reduce the cost by as much as $14 per record. [8]
Estimated Average SMB Enterprises
Base 1,397 464
Total Expected Damages 33K 636K
Total Reactive Spend 10K 84K
Overall Financial Impact 42K 720K
Figure 3: Loss of Business Opportunities Source: Kaspersky Lab Report[6]
5
Benefits of Investing in Information Security
Compliance Competitive Advantage Lowering the Expenses Optimizing Operations Compliance with various legislation and contractual requirements shows the quickest “return on investment” Gives a marketing edge to the organization especially if it handles clients’ sensitive information Investing in Information Security brings down the cost with the decreasing number of incidents
Helps in the
strengthening of the internal organization with the clear
definition of tasks and responsibilities
4. Key Developments in Information Security- Riding the Security Wave
From viruses and adwares to phishing and DDoS attacks, the information security industry has seen the sophistication and scale of the attacks evolving in the past two decades. Below is a table mentioning how the threat and security landscape have developed in the past years.
Reflection of the Past
In 1989, The Morris Worm and other early attacks like $70-million Computer thefts in National Bank of Chicago, rang the bell in the security industry and led to the establishment of Computer Emergency Response Teams(CERTs) to address the network security.
The initial reactions from the industry followed many security products that helped in early prevention and detection.
Figure 4: Benefits of Security Frameworks Source: PWC Report[9]
6
Threat Goes Global
In 1990s, viruses were viral and infected millions of PCs making the security industry fail globally.
These threats led to the development of the antivirus technology, firewalls and awareness of individuals and organizations towards the dangers that come with the use of information technology.
Target Breaches
The new millennium saw target breach attacks with the attacks in the likes of credit card information hacks, botnet attacks, denial-of-service attacks etc.
The whole industry was exposed to the dire consequences of being unprotected and hence there was a rise of more sophisticated security systems involving larger use of encryption, cryptography and digital signatures etc. Many laws and regulations like HIPAA and PCI Data Security Standard were also created during this time.
Modern Day Today, we have reached a stage where cyber-threats are so sophisticated and developed that it sometimes seems impossible to tackle.
Besides, the technology development involving intrusion detection and prevention systems, content filters, layered defenses etc. to address the rising security threats, there is an increasing emphasis on building the
organizational resilience to such attacks and other aftermath measures once the breach has occurred.
5. Preparing for Tomorrow- Way Forward
5.1. Potential Catalysts and Roadblocks
There is an increasing emphasis on implementing information security measures where organizations can have access to valuable opportunities by taking advantage of the potential catalysts and have manageable risk assessment approach towards the potential roadblocks by knowing them well in advance.
Potential Catalysts
Government Legislations and Regulations – Additional regulations and the regulatory costs levied by the government on the organizations for not complying with the security laws have prompted many companies to make information security as their priority.
Focus Beyond Data Leakage –There is a rise in focus on areas beyond data loss and in this concern we see optimization of capabilities such as combining firewalls, URL filtering, and engaging encryption on the data objects etc. Many organizations are hiring third party vendors for security consulting, advisory and assessment services. Infact, according to a Forrester
7
report[10], the information security consulting services market leading pack’s annual revenue is atleast $60 million.
Increased Awareness – With the increased awareness towards the serious risks involved in the cybersecurity, organizations are detecting more incidents and hence saving on huge
anticipated information security losses. 44% and 64% more incidents were detected by large and medium sized organizations respectively [11].
Potential Roadblocks
Organization Culture – Usually, all organization cultures resist changes no matter how inefficient the process is. Staff turnover is one of the additional reasons why security training amongst employees become a struggle. Also, Accidental information leaks within
organizations can occur even in the safest environments. Hence, Security teams must emphasize on giving right security training; thus driving behaviour change in its culture in order to have the right focus on Information Security.
Aware though not Beware – Citing the need for security after rising threats to data loss, many companies have taken serious steps, however majority is yet to follow. Companies are now fully aware about the implications of a security threat but place relative low priority on security.
Mobile Workforce and Wireless Computing – With the rising adoption of
cloud/mobile/Internet of Things/ webscale technologies, information security concerns also increase because the confidential information is really on the move and needs to be protected.
5.2. Future of Information Security Architectures in Global Corporations
Below we see the major positive security trends (The 4 E’s) that are going to be visible in the near future.
-Encryption and self-protecting data: Many corporations are turning to encryption to protect their privacy, especially since the recent attacks. Apple has enabled full encryption in its new iOS, and Google’s new Android Version, Marshmallow, also makes full encryption as a mandate for most new devices. Infact, we can expect this trend to grow in 2016.
-Emerging Machine Learning Technologies: With artificial intelligence almost everywhere, from Google to Siri to self-driving cars, we can expect machine learning to learn malware patterns and offset all the security threats. According to a recent article in InfoWorld[12], Machine learning can be used to not just detect frauds but also in flagging network anomalies, tracking user behavior, or detecting zero-day malware.
8
-Empowering Visibility: There is an increasing need for the organizations to monitor how, where and by whom their data is being used. This need has led to the need for empowering the visibility of things in organizations and infact organizations have been concentrating their efforts in this area. As per the NTT’s GTI report [13], the security perimeter is shifting- with seven out of top ten vulnerabilities identified at the end-user level.
- Extending control to Application Level: Many companies are in search of risk management strategies to manage Bring-Your-Own-Device phenomenon. New application technologies like Mobile Application Wrappers are addressing this by extending the security to the application level instead of the devices.
6. Conclusion
Utility of the emerging information technology trends is undeniable; however, they have the security vulnerabilities associated with them which cannot be overlooked. Thus, we can admit that there is good, bad and ugly to the Information Technology landscape and businesses must evolve in their security arena to have a sustainable competitive advantage. The Good-
Information is on the move and of easy access, enabling organizations to be productive and promoting creativity making new business outcomes possible. The Bad- With the data on the move, hackers are easily able to seize the blockades to reach the secure data and hence leaving almost all our information risky. The Ugly- Many corporations even after becoming aware of the rising security risks do not take a holistic approach towards security and thus leave their
9 References
[1] M. Gerencser and D. Aguirre, “Security Concerns Prominent on CEO Agenda”, Strategy +
Business Press,2002. URL: http://www.strategy-business.com/press/enewsarticle/22197
[2] PwC, 18th Annual Global CEO Survey, 2015
[3] Gartner Press Release, URL: http://www.gartner.com/newsroom/id/2828722
[4] US Code Title 44, Chapter 35, Subchapter III, § 3542, URL:
https://www.law.cornell.edu/uscode/text/44/3542
[5] Allan Holmes, The Complying Game, Vol/20, No/13(2007):48
[6] Kaspersky Lab, IT Security Risks Survey, 2014
[7] Kaspersky Lab, Businesses spend more than half a million U.S. Dollars to recover from a
Cyber Attack, 2015 URL: http://www.canadianunderwriter.ca/news/businesses-spend-more-than-half-a-million-u-s-dollars-to-recover-from-a-cyberattack-kaspersky-lab/1003839269/?&er=NA
[8] Ponemon Institute, Company Data Breach now costs $3.5M on Average, 2014 URL:
http://www.insurancejournal.com/news/national/2014/05/07/328512.htm
[9] PWC, Turnaround and transformation in cybersecurity, 2016
[10] Forrester, The Forrester Wave: Information Security Consulting Services, 2016
[11] PWC, The Global State of Information Security Survey,2015. URL:
http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[12] Eric Knorr, Enterprise Tech Trends for 2016 and Beyond, URL:
http://www.infoworld.com/article/3007057/cloud-computing/9-enterprise-tech-trends-for-2016-and-beyond.html
[13] NTT Group, Global Threat Intelligence Report, 2015
![Figure 1: Business Security Investments Source: PWC Report[9]](https://thumb-us.123doks.com/thumbv2/123dok_us/1661982.2727891/6.892.70.853.63.788/figure-business-security-investments-source-pwc-report.webp)
![Figure 4: Benefits of Security Frameworks Source: PWC Report[9]](https://thumb-us.123doks.com/thumbv2/123dok_us/1661982.2727891/8.892.67.823.90.1113/figure-benefits-security-frameworks-source-pwc-report.webp)
