August 4, 2015

Three Circles: Cybersecurity, Compliance and Privacy

CIO Strategy Exchange, New York, 2014

This CIOSE Report encompasses three subjects that now preoccupy large enterprises: cybersecurity, compliance and privacy. They overlap – like the three circles on this document’s cover. Cybersecurity is protection from disruption by hackers and the theft of cash, data and intellectual property (IP); generally, these intrusions originate outside an enterprise. Compliance is adherence to ever-changing rules and government regulations that hopefully stiffen processes inside the enterprise to protect cash, data and IP from loss or diversion. Privacy is often the object of compliance and the goal of cybersecurity. Lurching from one overlapping issue to another enriched (but also complicated) discussions with our always-patient membership.

The questions we raised spanned information assets, threats, countermeasures, best practices, organizational structure, budget commitments and more:

  • What do CIOSE enterprises consider their “crown jewels” deserving of special cyber-protection? Most often, these are intellectual property, personal identification information (PII) and data controlling physical infrastructure – albeit there are substantial differences between product and service companies.
  • How is valuable information protected? How have cyber-defenses evolved since the last CIOSE Report: Spooks and Spoofs?What are the most effective current tools and techniques?
  • What types of regulations pose the greatest compliance burden? How do CIOSE member companies respond?

Despite billions spent on cybersecurity, the relentless stream of threats, attacks and losses has forced many CIOSE members to reexamine their cyber-defense posture. The first decades of cyber-defenses attempted to protect the corporate homeland with interleaved layers of identity authentication, user authorization and firewalls. But by 2010 (during our Spooks and Spoofs interviews), it was obvious such defenses largely failed to safeguard the intellectual property of every CIOSE member company in every industry segment. The watchword became: “There are two kinds of companies; those that have been hacked and those who don’t know they’ve been hacked.”

Often the difference was an unexpected alert from a law enforcement agency. There was no long-term protection against an “advanced persistent threat” from a rogue government, crime ring or unscrupulous competitor, said all the experts. Obviously, perimeter defenses have weak links – usually naïve users who bite on a phishing lure or corrupt insiders with IT security clearance.

It’s now widely recognized that attempting to protect everything at the outer perimeter is a romantic fantasy. So enterprises take a different approach to cybersecurity. First, they determine what information or physical assets are especially significant to the enterprises’ fundamental health and thus require extra protection. Then they envelope those core assets in the sophisticated and costly regimens we’ll discuss momentarily.