My experiences of meeting with CIOs, CISOs and Heads of Information Security & Compliance of large and mid-sized Enterprises internationally in the past six months, reveals a distinct trend.
Although IT budgets are no longer what they once boasted, the Security spend seems to have continued more or less unabated. However, one aspect that has not remained constant is the answer to the quintessential question, “What keeps you awake at night?” I’ve been probing this very issue and it has been quite surprising to listen in with one’s ear to the ground, especially from CIOs who have a large staff in their organization, across both Public and Private Sectors.
It is not what you would expect. The ominous, external threat landscape ranks in the Top Five on their list, but it is not necessarily top most on the CIO’s agenda. The real threat is from the Inside. It is about their own internal staff, which in their own words is in desperate need for continuing security awareness education.
Security has long since become a means to resolve a business problem. Increasingly, Business Intelligence and Analytics are creating avenues to solve Security problems. This can be illustrated with a simple example. Let’s say you are the CIO of an organization that has over 50,000 employees for whom you are responsible. And you are paranoid about all the possibilities that make your systems and network vulnerable as a result of either unintentional or possibly malicious reasons. What do you do?
One large Government agency has found that the solution is actually in Business Analytics. Every day, when the employees (no matter whether she is a contractor, an entry level appointee or the CEO) turns on her laptop, desktop or workstation, a series of questions pop up on her screen that necessarily need to be answered, before she is allowed to log in. Moreover, these questions are targeted specifically to the role and responsibility of the individual, and would therefore vary greatly, depending upon function. The input information is tracked and analyzed by the Business Intelligence tool. If the employee is not able to answer more than 80% correctly, she is asked to enroll in a Security Awareness Training session.
This is Security 101 at its most optimum. From a place where the problems seemed intractable, the organization has now put a process and system in place that makes continuous security education self-sustained. And the best part is that the entire process is completely automated resulting in increased security, while lowering the total cost of ownership. This is an example of Business Analytics & Intelligence solving a continuous security awareness education problem that in turn solves a huge business issue.
Insider attacks constitute as much as 80% of all Internet and computer related exploits. A recent transatlantic survey in two major International cities revealed some staggering statistics! The sustained global recession and the need for a competitive edge were the primary triggers that caused employees and contractors to engage in such behavior.