What role does the CIO play within your organization’s online security strategy?
In some organizations IT is seen as a business impediment—the “office of No,” using security risk as a reason to slow down or block new technology. This creates a desire tobypass IT in the interest of moving the digital strategy forward. Here, Fortune says the CIO’s role is seen as “[telling] the CMO that he can’t buy his own server and cool software for automated ad creation.”
Given this perception, the CIO either never hears of an “on-the-sly” implementation, or IT is brought in at a point during the process where it has no voice. Such a scenario is far too risky in the insecure cyberspace realm of today—hardly a week goes by that a significant breach isn’t in the news, impacting organizations in ways they hadn’t previously encountered.
With the average distributed denial of service (DDoS) attack cost running up a bill of $500,000 and the average consolidated total cost of a data breach at $3.8 million, CIOs are facing the challenge of implementing security measures that won’t interrupt the business. But how can they do this without direct input at the decision-making level?
Cyberattacks: A New Cost of Doing Business
A survey of 270 North American organizations by Imperva reveals that 45 percent of respondents were hit by a DDoS attack, with 86% of assaults lasting less than 24 hours.
Cyber Dumpster Diving—Beyond the DDoS problem, today bots represent the bulk of all website traffic. Bad bots are used to automate spam campaigns, spy on you as a business competitor (akin to dumpster diving), or execute vulnerability scans to compromise your websites on a large scale. And then there are ransom attacks. The consensus among cyber experts today is that it’s no longer a matter of if your organization will be hacked, but ratherwhen and how.
The staggering frequency of cyber intrusions has elevated security solutions to the level of a critical operations item. Consider the following two items, reported in Politico on June 15:
THE HIDDEN COSTS OF AN ATTACK — The true impact of a cyberattack is vastly underrated because of lesser-noticed, long-term damage done by things like increased insurance premiums or lost contract revenue, according to Deloitte. Emily Mossburg, principal in Deloitte’s Advisory Cyber Risk Services and leader of its Resilient practice, said that what surprised her about the study is how much of the damage is either hidden or unseen (the vast majority of it) and how far into the future that damage can stretch (five years or more). …based on real-life information, [take the hypothetical example of] one U.S. health insurer that suffered a data breach… [It] spent $21 million over three years to improve customer protection, but lost out on $830 million in contract value over five years.
COST OF DOING BUSINESS? — The average cost of a data breach is now $4 million, a nearly 30 percent increase over the past three years, according to a new analysis by IBM Security and the Ponemon Institute out today. That comes out to approximately $158 for every record that is lost or stolen. Broken down by industry, health care is the most expensive sector to be breached for the second year in a row, with a price tag of $355 per record, almost double the average. Education comes in second, at just over $246, and while the hospitality industry has been in the spotlight lately, the cost per record there only comes out to $139. These costs are material.
Loss of Trust—Not only are cybercrimes negatively impacting profitably, but they’re also eroding consumer confidence. The entire Internet economy is at risk. This past May, The Washington Post reported:
Nearly one in two Internet users say privacy and security concerns have now stopped them from doing basic things online — such as posting to social networks…or even buying things from websites, according to a new government survey… pulled [from] 41,000 U.S. households…
“Every day, billions of people around the world use the Internet to… conduct financial transactions…,” wrote Rafi Goldberg, a policy analyst at the Department of Commerce’s National Telecommunications and Information Administration… The new NTIA data suggests a significant number of Americans have embraced at least one strategy: Opting out of online activities. That trend could have major consequences for banks, online retailers, and the broader Internet economy.
And in its 2016 Online Trust Audit & Honor Role, the Online Trust Alliance states:
…There is a growing trend that business and data collection practices are moving out of alignment with consumer expectations, creating a threat to the internet economy… The ultimate impact is to consumer trust. OTA calls on all stakeholders to move beyond a compliance mindset to become data stewards. By increasing respect of consumers, their data and the online experience, the economy and society will be postured to reap long-term benefits.
…the importance of this Audit and adoption of the prescribed best practices has been heightened by the increased sophistication of cybercrime, account takeovers, data breaches, ransomware and identity theft. As cyber threats increase and privacy concerns expand, this report is more timely than ever, underscoring the imperative that data security, consumer protection and responsible privacy practices need to be integrated into every service and business process.
Along with such business concerns as brand protection, data retention, and vendor confidentiality, there may well be legal ramifications to consider. From the Network Ops DDoS Playbook:
Given the prevalence of cyberattacks (including a number of high-profile DDoS attacks) in recent years on financial institutions and other businesses, regulators and investors are focusing an increasing amount of attention toward cybersecurity risk disclosures. The U.S. Securities and Exchange Commission (SEC) already requires corporations to disclose to investors the cyber security risks they face, just as they disclose other material operational risk.
But when it comes to ensuring continued operations in today’s cyberworld, for the knowledgeable CIO to proactively introduce security solutions is too often an indirect path. In many organizations the CIO reports to the CFO, with only the latter sitting on the executive committee.
But the CIO needs to have sufficient exposure at the executive level, first to assure operational continuance, and then to help drive growth through technology.
In other words, the board and executive committee must recognize the CIO as an essential partner in strategic business planning. Like Intel’s Kim Stevenson, however, in turn today’s CIO should be working “along multiple fronts to transform the business, not just keep it going” [Fortune].
CIOs also have to wrestle with legacy software and hardware… ‘keeping the lights on’—maintaining existing software applications, servers, and networks… ensures that relatively little attention or resources can be devoted to exploring new uses of technology in the business.
Finally as Kim Stevenson put it so succintly, “The CIO’s role is as different as every company. The one glue that holds it together is a core responsibility to drive the momentum of growth and enable innovation at all levels.”
If you’re that CIO, these solutions will equip you, and therefore the executive team and board, in fully addressing all of the concerns noted above:
- Continuity Assurance—There can be no compromises when it comes to enterprise-grade service availability. Since security measures may add latency, one solution is a cloud-based approach to load balancing traffic through its global content delivery network (CDN)—backed by a 99.999% uptime and support service level agreement.
In addition to global server load balancing, data center failover, and geo-optimized routing, real-time monitoring of both performance and uptime, a WAF can further protect your site against all OWASP top 10 threats.
- Growth Enabler—Beyond security, what about your website visitors’ experience? Page load speed plays a critical role in site performance. Studies show that even a one-second load time delay causes a 7% drop in conversions, an 11% drop in page views, and a 16% drop in customer satisfaction. All too soon they’re taking their business—and your ROI—elsewhere.
By bringing your content closer to each visitor, using a CDN minimizes site load times while reducing some operational costs—primarily bandwidth consumption. Working behind the scenes, it significantly improves your site’s load time, thereby enhancing your user experience. And by reshaping how information is consumed online, it lets every site truly go global. At the same time a CDN can also help tackle other IT tasks, including security, load balancing, and DDoS attack protection.
Secure technology has proven to be a significant driver for business growth. You don’t need to choose between security and technology-drive growth—you can have both without compromising either. Start with protecting crucial assets and functions while accelerating hyper growth.
If you’re looking for good reading material on CDNs, our white paper gives you a primer on where CDN is going and how you can make it work for your organization.
Keep your finger on the pulse
Sign up for updates from Imperva, our affiliated entities and industry news.
Keep your finger on the pulse
Sign up for Imperva updates and industry news and never miss a beat.