The fact that C-level management is increasingly viewing the entire enterprise through the same wide-angle lens probably doesn’t come as big news to most of us. As operations, management and data are increasingly converged under a unified management umbrella thanks to the power of IT, line-of-business managers increasingly find themselves on the same page with CIOs when discussing the dangers that keep them up at night.
That’s why the recent podcast of an interview by Matthew Hartley, technical editor of the National Post, is so interesting. The interview features IBM Canada’s risk advocate Willie Wong, in a discussion about the modern cyber threats that enterprises face and the evolving role of the IT security manager.
Wong has some 25 years’ experience in the trade, so he’s well positioned to chart the changes that enterprise IT has gone through over the decades – and to evaluate whether security ‘culture’ has kept pace.
“Twenty years ago, when you looked at the IT landscape, systems were self-contained,” Wong tells Hartley. “In today’s environment you’re seeing IT move very, very quickly… You’ve opened your doors to a lot more security threats.” Those threats must be managed while maintaining user access to enterprise data, whether they’re in the office, on the road or working from home.
One problem IT managers have in keeping up is that a lot of enterprise infrastructure is badly outdated and not readily adaptable to today’s security and availability requirements. The sheer pressure of trying to keep pace means that many IT managers are forced into the ‘status quo’ category, Wong says. They’re having a good day if they can just meet the demands of the business. They don’t have time – or, in many cases, the inclination – to evolve into thought leaders, the kind of IT managers who proactively assess the business drivers and get out in front of them.
Wong takes the hypothetical example of a large enterprise where the marketing function tells IT that the company’s footprint has gone from 40 per cent online to 90 per cent online over the course of several years. At that point, Wong says, the IT manager is hitting capacity in terms of what they can do to support the business. “You need to look at things you didn’t before, like moving to a cloud environment. It’s an easier way to expand infrastructure – it’s faster, flexible and scalable.”
But the cloud also has security implications that IT managers need to consider, and they’ve become part of the conversation in the boardroom. Wong takes the massive Target data breach last December as a test case of the importance of security policy. The hack compromised some 40 million credit and debit card accounts, cost the CEO and CIO their jobs, and cost the company an incalculable loss of reputation and credibility.
And while the hack was detected as soon as it started, nothing was done about it for two weeks. The company’s security systems performed as they were supposed to, but warnings were ignored and automated defences that could have eliminated the malware immediately had been switched off. “The failing was around process,” Wong says “That’s why I’m saying it has to be a boardroom discussion.”
Wong says there are four main security challenges facing CIOs and CEOs over the next few years. First is simply that the number of attacks has increased significantly. Second, and more important, is that the sophistication and intelligence behind them has also developed.
“Fifteen years ago [attackers] might have said ‘I’m going to hack into you and change your web site,” Wong says. “Today so many criminal organizations are trying to break in and steal data.” Wong lists threats from state-sponsored attacks, routine fraud and user error, ‘hacktivists’ and even the effects of natural disasters.
Third is the lack of security skills among IT staff, a serious problem that Wong also views as a positive in that it means better job opportunities for people now embarking on IT careers.
The fourth challenge is that “security breaches affect the corporate reputation and brand,” Wong says. “And that will hurt the bottom line.”