By Betsy Atkins
Good news, as a member of a corporate board of directors, we in the boardroom have finally gotten the message on the severity of cybersecurity threats facing your company. In my recent work with boards, I’ve seen how the lessons of massive hacks at Target, Sony, JP Morgan Chase, and other major firms have gained boardroom notice. And over the last couple of decades, I’ve seen first-hand, as a member of over 20 public company boards, the rapid evolution of the digital landscape and the opportunities it has offered. We’ve all pivoted to take advantage of these new technologies, but in the process, many advisors have lost sight of the risks it has incurred over time.
In comes the bad news. Most boards are still stuck with the same security tools, standards, processes and knowledge that was used over a decade ago—before the world of cloud computing and “software-defined everything”—rather than looking ahead to the needs of what is fast becoming a completely digitized world. Consider Gartner’s forecast that 4.9 billion connected things will be in use in 2015, and will reach 25 billion by 2020. Retail, healthcare, manufacturing and many other industries will be transformed overnight. In this light, not planning ahead could be the ideal recipe for fiduciary disaster—a corporation’s most valuable assets stolen or destroyed, while the board happily assumes that all is well. Now, asking, “how can we prevent data breaches?” may sound good—but research shows 43% of companies have already been hacked in just the last year. As a director, you’re not just losing the data security contest—you’re playing the wrong game. Here is how.
You’re overlooking your real data assets. At the Fortune 500 level, up to 75% of a company’s value is its intellectual property. Through the mega trend of digitization and cloud computing these assets are now interconnected, compounding cyber-risk. For example, at every company, there are certain corporate data and intellectual properties that constitute the company’s real “crown jewels.” As directors, you need to ask management to identify exactly what these key assets are, and who can access them. Are they located on a dedicated system, multiple systems, or distributed systems? How specifically do we protect these most valuable of assets?
You may be guarding an empty vault. Yes, your board may ask educated questions on how well data in company servers is protected, but you need to look beyond proprietary servers. Data storage on the cloud is placing many of your company’s assets far from traditional in-house, glass box protections and in the hands of hosting companies. By 2018, over three-quarters of workloads (that is, company applications and supporting data) will be processed by cloud data centers. Companies like VMware and Amazon are reinventing where your data lives. Yesterday’s hardware-centric approaches to security won’t work with the migration to highly virtualized and cloud data centers. Some of your data assets are floating around the globe, some may be on your dedicated servers, and others are in constant flux moving to and from servers to users and mobile devices automatically. You can’t protect today’s dynamic data with static security measures.
You have old tools doing old jobs. If the modern architecture of your company’s data assets is software-based and flexible, why is IT using old, rigid hardware systems to guard it? Dynamic data centers demand security controls that are closer to the assets being protected. A secret most CISOs don’t want to discuss is that the systems they use today are upgrades on the same tools in use for years, and often are outmoded for the modern demands of cloud data centers. It’s likely that the firewall client you have in place is essentially the same one used 25 years ago, when all your data was protected on-premises. Worse, your security systems are likely a piecemeal approach implemented at various nodes of the architecture over the years. Trying to build in hardware-tied security at every node in this continuum is a fool’s game—and an unnecessarily expensive one. Your CISO and staff may be doing a good job—but with security tools and architectures that are over a decade out of date, their hands are tied.
You’re looking in the wrong places. I’ve seen endless reports from IT to the board and its audit committee on data protection. There are lots of pretty green lights on the info dashboard showing the company’s current security protocols and technologies are all in place and doing their jobs. But green lights don’t mean up-to-par protection. Boards are looking at the wrong data, with the wrong assumptions, and asking the wrong questions.
The problem? Your IT staff and CISO are likely running fast just to stay in place. They’re wrestling with legacy, hardware-based solutions and architecture. And you, as a board member, often lack the tech expertise to ask what wholly new, software-based protections could be introduced to do a better, more comprehensive job with more granular controls and a lower cost.
You need to ask the right questions. What does your IT staff plan to do over the next two, three, five years to meet the security demands of distributed data in a world of 25 billion connected devices? What security gaps does your current structure leave between those various legacy programs? If you were to change your overall data oversight architecture, to move beyond incremental change to something truly different and inclusive, what would it be?
As a board, you are in a unique position to force a rethink of the company’s digital assets in the coming world of distributed, virtualized data. Don’t lack the required visibility into security, or risk compromising your own and the rest of the board’s ability to meet fiduciary obligations. Evaluate disruptive, new security companies who were born in the world of cloud, and can provide the best protections for these dynamic, software-based environments.
Rather than making your IT staff’s job more difficult just to waste their time on outdated security measures, ask them these questions to give them both permission and motivation to make a fresh start while reducing the risk of costly intrusion. Because the next time you read about a disastrous data breach, you don’t want it to be at your company.
Betsy Atkins is president and CEO of Baja Corp., a venture capital investment firm and the former chairman and CEO of Clear Standards Inc. Atkins has served on some of the world’s most visible global public company boards, and she has worked behind the scenes at companies like Lucent Technologies, HealthSouth, Vonage, Paychex, Inc., and Secure Computing Corp.