What's Keeping You Up at Night? IT Security Should Be.

Consider this a wake-up call, an open letter to not only the CIOs of companies, but CFOs, CEOs, other executives and board members. Here's the bottom line: In the age of cybersecurity, ignorance is not bliss. In fact, it's incredibly risky. This isn't a James Bond movie. It's reality. In my 31 years of working in technology, I have witnessed many different types of leaders. Many have advanced degrees, held powerful positions at Fortune 500 companies, and all of them achieved a position of leadership because of their ability to look beyond what's directly in front of them. However, few took the time to really comprehend that they may be contributing to a weak link that could rock the very foundation of their companies. These high level leaders have no idea of their organizations' security posture and possess little knowledge of their IT security environment in general. If my aforementioned description seems to hit home, well, good. Because what I'm hoping to do is sway your desire and understanding of the importance of not only knowing, but becoming more than well-versed in these cybersecurity specifics.

How can I convince you, and then assure you that not being vigilant makes your company highly vulnerable to thousands of cyber-breach threats being introduced daily?

Over the years, we've become accustomed to "trusting" that IT was being taken care of by deft IT teams we have in place. "My backups are being done (I think)...My organization's vision is being accomplished by supportive IT processes and systems (I expect). . . My business assets are being secured to the best ability possible (I suppose). . . My employees’ or customers’ privacy is being properly protected to preserve the trust we've built with them (I'm assured). . ."

News of data breaches has become such a daily occurrence that Forbes publishes a Data Breach Bulletin each week. On September 9th, Home Depot confirmed that its card system in stores in the U.S. and Canada was compromised. And, given how long the breach lasted, when all was accounted for, Home Depot’s breach ended up being larger than the highly publicized Target breach. In December, Target announced a massive data breach that was the second-largest in history, resulting in the theft of 40 million debit and credit card numbers and the potential exposure of personal information of up to 70 million shoppers. These incidents not only upset the confidence of the large retailers' customers, but they have cost companies millions of dollars.

According to reports, Target's breach was due to poor security controls by the HVAC vendor who had access to Target's network. Target spent $61 million responding to the breach, according to its fourth-quarter report to investors. But retailers aren't the only ones at risk. Edward Snowden stole secrets from one of the world's most advanced intelligence organizations, the National Security Agency (NSA), another conduit of a connection that occurred through Snowden's position with a private contractor. Unless you haven't been only hiding under a rock, but buried under a boulder, you'd know that much United States’ intelligence information is now out in the open due to Snowden's NSA breach.

The recent large-scale retail breaches and the NSA breach should be enough to shake-up everyone. Even those of us who are heavily immersed in security and who know about breaches even before they are publicly announced continue to be mortified by these breaches. Why? Because for all of us, they instill a bit of "that could happen to me" fear. Yes, there is a common denominator in all of these incidences. Each were initiated by a web of connections, all of which we have in our own systems — suppliers, vendors, subcontractors and others who have access to information.

Consider this: most systems we audited do not have basic security patches, anti-virus and anti-malware updates installed consistently even though most every customer’s IT resource says these operations are being performed. Based on an Intel (McAfee) report, 78% of breaches are rated low difficulty. Simple patches could eliminate them from risk. This is basic security and there needs to be a system in place to ensure that it is done consistently and continually. But who ensures this? The Information Technology folks? Think again.

What many companies are starting to take to heart is that cybersecurity needs to get kicked up a notch, from the ground-floor level IT offices to the top-tier boardroom. Experts say that cybersecurity should go hand-in-hand with enterprise risk assessment since it can adversely affect both operations and the reputation of a company. Needless to say, the end result is often significant financial fallout. Yet, cybersecurity is not at the top of the busy high-level executives’ "to do" list.

These are changing times. Threats are changing the interior landscapes of companies. Intellectual property values are morphing and adapting to a new way of thinking.  There are changing trends in cybercrime with malicious malware being developed at warp speed. There are changing realms of the connectivity in our world and the overall "internet of things."

These are cyber puzzles that should be keeping you up at night, or at least waking you up once in a while. If not, you may be living in a land of security by obscurity.