Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/21/2014
12:00 PM
Leo Cole
Leo Cole
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security & Profitability Go Hand-In-Hand

It's never been more critical to put security on the front line to protect your company's bottom line.

The threat landscape has evolved tremendously during the past several years, yet many businesses’ priority lists have stayed the same. Business leaders in executive offices are determined to get revenue-generating projects on the market first, and then, usually a year later, they worry about security.

According to Trustwave’s recently released "2014 Security Pressures Report," 79 percent of respondents said they felt pressured in 2013 to roll out IT projects despite concerns that the projects were not security-ready. The survey, which polled more than 800 full-time global IT professionals about the information security pressures they face, revealed that, too often, security is an afterthought in the product development process -- though that’s not necessarily intentional.

According to the report, 85 percent of IT pros say a bigger IT security team would reduce pressures and bolster job effectiveness. But for many businesses, security is not a core competency, and in-house IT teams say they do not have the staffing or expertise to build and manage a security strategy that effectively covers all potential attack vectors. As a result, the internal teams feel overwhelmed and uncomfortable working on projects within their wheelhouse while also protecting company data, according to the survey.

From my personal observations working with businesses of all sizes, the problem stems in part from the basic architecture of the enterprise IT team, which is typically segmented into groups (application, server, infrastructure, desktop)  -- none of which is directly responsible for security. If there is a security group, it is usually off to the side and relegated to a secondary role dealing with issues after-the-fact, when other groups have already rolled out their projects.

If that isn’t enough to convince you of the need for a greater investment in security, consider a recent Gartner survey of more than 2,300 CIOs reported earlier this year in The Wall Street Journal. The CIOs ranked security No. 8 on a list of strategic priorities, compared to 10 years ago, when security was the No. 1 concern. Research from Forrester, meanwhile, shows that 36 percent of breaches stem from inadvertent misuse of data by employees, a problem that can also clearly benefit from investments in user education.

Follow the money
There’s also a downside on the balance sheet of security ROI, stemming from real tangible costs that can add up quickly in the wake of a data breach. If your business handles payment card information, for example, you may need to pay a fine for non-compliance with the Payment Card Industry Data Security Standard (PCI-DSS), a requirement that a business must meet if it stores, processes, or transmits payment card data. Fines range from a few thousand to hundreds of thousands of dollars depending on how many payment cards were determined to be at risk of compromise. A compromised business must also pay for card replacements and fraud reimbursement, meaning if the criminals made transactions using the stolen payment cards, the onus is on the victim organization to pay back that money to the card brands. Businesses must also pay for a post-breach forensics investigation and, in many cases, legal counsel as well.

Coupled with the tangible costs, there are also intangible costs that could potentially cripple a business. Depending on the nature of the breach, you may have to temporarily halt operations to clean up the damage, which could mean more lost revenue. Some companies may need to scale back on operations, which would mean slower operations and another potential decrease in cashflow. Customers may also lose faith in the victim organization, including long-time loyal customers who have regularly pumped dollars into company coffers for years. If the business is public, a loss of market share could cause revenues to drop.

There is no silver bullet when it comes to securing valuable corporate information. But as businesses connect just about everything to the Internet, it’s never been more critical to put security on the front line to protect the bottom line -- and roll out IT projects only when they are market-ready and secure.

Leo Cole is responsible for the strategy and execution of the Trustwave's information security solutions business. He has more than 30 years of experience in technology marketing and information security, having held leadership positions at IBM, Websense, and Guidance ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PaloJoel
50%
50%
PaloJoel,
User Rank: Apprentice
6/9/2014 | 7:02:16 PM
Security is a competitive advantage plain and simple
If your more secure than your competitors, if you do it more efficiently from a man power perspective, and you get a better investment yield on security technologies than your competitors its a competitive advantage to the business.


Better security controls, better efiiciencies, and better investment yield equals an advantage verse other companies who loose more data, see more breaches, have larger teams, and burn through ever increasing wads of cash.


The CEO of Target was fired not because their virtualization strategy was incomplete, or they lost a server, or the TCO and cost savings in reduced travel and better decision making through video conferencing did not compute.  It was not really even due to his job performance.  It was because they were less secure than Walmart, were not as efficient as Macys, and did not get a good return on their investment(s) like Kohls.  Presuming Walmart is safe, Macys is efficient, and Kohls see a good return.


Target was and may still be at a competitive disadvantage due to less relevant security controls, operational ineffiiencies, and poor investment yield in reducing risk from their legacy controls.


Bottomline- If i am robbed less, protect myself better, do it more easily, and spend less doing it than the other guy I am going to grow faster and be more profitable.


The real question business leaders should be asking security practioners is make my security a competitve advantage verse " how do i get you to stop draining my pockets."

 
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/28/2014 | 9:23:47 PM
Ultimately though...
I agree with Randy. Once you get beyond regulatory compliance requirements, it is easy for security to be viewed a lot like medical insurance - you have to have it, but you don't necessarily need the best insurance plan being offered. At least not until you are sick. I think that's just a conundrum that security pros are going to have to deal with whenever it's budget time.

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/22/2014 | 4:12:22 PM
Re: Why Security & Profitability Go Hand-In-Hand
It is hard to justify, but in the wake of recent events, you would think that the case is a little easier to make. The structural issue, is one that seems really out of whack with today's reality -- with the IT teams broken into application, server, infrastructure, desktop  -- none of which is directly responsible for security. 


Do you find that consistent in organizations you've worked in or that of your colleagues
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/22/2014 | 9:19:20 AM
Why Security & Profitability Go Hand-In-Hand
Hard to justify security in an organization from a profitability perspective. It is definitely a necessary evil but unless you have been affected directly by breaches or such it does not mean much.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...