There was a great quote in a recent Ponemon study sponsored by Cenzic and Barracuda: “Most organizations have been hacked, yet 88 percent still spend more on coffee than on app security.” Combined with the recent revelation that oil companies and components of our national infrastructure have been compromised (see McAfee’s Global Energy Cyberattacks: “Night Dragon” for more information), this should be cause for significant alarm. Aside from funny quips like the one above, there are massive tangible costs associated with the recent breaches. One of the most shocking losses is the cost associated with US fighter jet technology. It’s estimated that China “saved” over $20 billion in the development of its latest stealth fighter. Although not publicly discussed, it’s commonly acknowledged that China’s advances were due in large part to lapses in US information security. What’s scary are the breaches that we are hearing about are occurring at organizations that spend significantly more than average on information security. While each has its issues, the military spends massive amounts on information security and large oil companies tend to allocate security significant budget dollars.  In addition, the breaches at the oil companies were fairly simple: break in through externally available web applications and step through to confidential information and critical processes. Most of the attacks in the McAfee report were based on existing and commonly used tools. If highly profitable companies that spend significant amounts of money on information security are being breached, it shows how massive the problem is that we are facing and how difficult it will be for smaller less profitable organizations to confront. In the past, when I spoke to what might be considered an ordinary mid-sized business (one that didn’t think it had significant security needs) like manufacturing or healthcare, the response was often “who would want to break into our environment.” Unbelievably, these comments can still be heard within the IT groups of Fortune 500 companies; however, with breaches at organizations like Minneapolis’ Valspar (a Fortune 500 paint manufacturer which had its paint formulas stolen) corporate boards are beginning to understand the risk related to information security within IT and this is one of the keys to addressing the problem. Corporate boards need to wake up to the massive problem, fund information security, and demand more information about their organization’s posture on a regular basis.  Since boards are usually not made up of IT or security experts, it’s the responsibility of Information Risk, Security, Audit, and IT to provide them with tangible information about security and risk posture.  While boards could ask for the coffee vs. security budget ratio, there are better ways to look at this and budget for this. However, making the point to a non-IT oriented board takes tangible events and understandable facts. As the recent reports and news articles show, the events are happening. It’s up to boards, executive management, IT and information security to understand the facts and plan / fund appropriately.

Deke George