Information Security - An Issue for the Boardroom

Date:   Monday , May 31, 2004

In the last six months alone, major companies including Microsoft, Wells Fargo, BJ’s Wholesale Stores and, most recently, Cisco Systems, have had to deal with the growing costs of information security exposures. From intellectual property leaks to the incredible cases of identity theft, the costs and risks of these crimes are growing exponentially. The U.S. Federal Trade Commission estimates that identity theft costs U.S. consumers $5 billion and U.S. companies a whopping $48 billion. The U.S. Chamber of Commerce estimated that the Fortune 1000 lost $49 billion in intellectual property disclosures in 2003. In order to protect themselves and survive, companies must rapidly adopt what we in the security industry see evolving into a paradigm shift toward the adoption of emerging information security technologies. These technologies are information focused rather than network focused and can see for the first time, what information is leaving the company’s perimeter; rather than looking for attackers coming in.

Surprisingly, this adoption will not be pushed by technologists, although technologists will make the critical decisions about what products hitting the marketplace earn best-of-breed status. The adoption will be pushed by the Board of Directors, CEOs, and CFOs of publicly-traded companies who will make information security issues an inherent component of a company’s corporate governance policy.

The laundry list of regulations including but not limited to Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the California’s Database Protection Act of 2003 will force CEOs and Boards to adopt new information security technologies sooner than planned to protect the critical information exposures that directly affect not only a company’s bottom line; but also their customers and shareholders as well.

The list of regulations are creating what many of us in the security industry have been calling “the perfect storm” for CEOs and the Boards of more than 12,000 publicly-traded U.S. companies. As costs continue to rise over time—primarily due to litigation costs and the financial impacts of lost intellectual property and every day—the risk of a breach continues to skyrocket as the connected nature of electronic business grows. Today, entire industries are networked in complex supply chains, corporate networks, and offshore development. Ironically, the infrastructure that has enabled companies to communicate electronically for the past 20 years also represents one of the most significant threats to their success. Now more than ever, corporate leaders need to personally address critical security issues within their companies, because when compromised, the end result is a negative impact on a company’s brand, competitive advantage, public trust, company reputation, and shareholder equity. Companies simply can’t allow these things to impact their bottom lines.

Therefore, CEOs and Boards must begin to understand the capabilities of new emerging information security technologies which actually have the ability to focus on the information flowing within the corporation. I call this information the “intangible assets” that are so valuable to a company that we often do not see or even know if they have been sent out the back door. The protection of these assets has gone unnoticed for too long. From intellectual property, trade secrets, financial reporting information and competitive pricing to IPO or M&A information, these are the intangible assets that once leaked, prematurely diminish the market cap and eat away at shareholder equity.

But what is most astounding is the notable data point that an estimated 80 percent of today’s security threats involving these intangible assets are not coming from the outside in; but from the inside out. I don’t mean to suggest that these problems are created by malicious employees. In fact, it is quite the opposite. Another often-quoted statistic estimates that only 17 percent of the insider threat problem stems from malicious employees intending to do bad things. The good employee doing bad things is a scenario that plays out daily. It can be—and often is—as simple as an email sent outside the network to a friend or colleague with confidential information accidentally included or attached. When 80 percent of the security issues facing your company stems from the good employee with limited time, limited resources and the power of the World Wide Web at their fingertips, what is a CEO to do?

Emerging information security technology specifically addresses this issue while also getting to the heart of the corporate governance issues. This technology has the capability to sit behind the firewall and protect companies from the insider security threat by providing a new view of the information leaving the corporate network in real-time. This enables a company to immediately identify when confidential or privacy information has been exposed, left the network or landed in the wrong hands. Companies can see where information has been sent outside the network and pinpoint the employee who accidentally sent the information or, in those rare cases, pinpoint the “enemy within” who maliciously tried to steal classified company information. In the future, these types of security controls will sit behind the firewall and send real-time notifications and alerts about exposures to the information asset manager so they can take action when exposures occur to stop the damage before it’s too late, rather than picking up the pieces after a company has been attacked.

We envision a future where new information security technology sitting behind the firewall can empower, instill trust, and protect companies from a wide variety of these new emerging insider threats. All industries, from technology to energy, financial services, government agencies and telecommunications, will benefit. As information security becomes a core management and governance function, the corporate perception of it will also evolve. And, as companies embrace the new age of information security, they will be able to leverage the power of the Internet and continue to enjoy the productivity benefits electronic technology on a global scale.