Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020. They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.
The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.
Structural hurdles to addressing cybersecurity
There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.
Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
All Information Management articles are archived after 7 days. REGISTER NOW for unlimited access to all recently archived articles, as well as thousands of searchable stories. Registered Members also gain access to:
- Full access to information-management.com including all searchable archived content
- Exclusive E-Newsletters delivering the latest headlines to your inbox
- Access to White Papers, Web Seminars, and Blog Discussions
- Discounts to upcoming conferences & events
- Uninterrupted access to all sponsored content, and MORE!