By Dwight Koop, co-founder and COO, Cohesive Networks
70% of security professionals believe the CEO should hold the ultimate responsibility in the case of a data breach, according to a 2015 survey from Websense. The C-suite is beginning to feel the security heat as reports of data breaches and cyberattacks have filled the news in the last few months.
Massive breaches, such as the Target, Home Depot, Sony and Anthem are highlighting how information security is no longer an IT department issue, but a huge risk for the entire company. Plus, upcoming security compliance regulations – like NIST, PCI, and the EU banking standards – are beginning to write in more security requirements rather than suggestions.
After the credit card data breach in Winter 2013, Target dismissed CEO Gregg Steinhafel as well as their CIO. The Sony hack at the end of 2014 cost the studio nearly $15M in security and incident response alone. The additional loss of intellectual property, damaged reputation, and future business losses could total up to $172M.
According to a June 2013 PwC report, organizational leaders do not know or appreciate what their IT teams are up against in terms of industry threats, vulnerabilities and the costs required to deal with an attack. A report from KPMG argues that even the corporate board must understand that cybersecurity is a business risk issue, not just a problem for IT.
Frequently, C-suite leaders discover that their organizations have been using cloud-based CRM, email, and accounting tools without fully realizing their organizations’ data is therefore cloud-based. In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud.
Focus on data security, not data center security
Cisco reports that by 2018, 76% of all data center traffic will come from the cloud. As vital enterprise data moves outside of the protected data center and the IT silo, leadership should focus on new ways to secure critical data in any location.
Modern enterprises have teams and employees on the move all the time, visiting customers and checking in from devices of all types. Yet why do organizations still treat critical data as if it always stays in the same place?
In traditional data center security, the focus has been on keeping data physically isolated via the perimeter or “demilitarized zone” (DMZ). But this model focuses too much on protecting the outside, with little to no security features inside the network.
Today’s more complex and distributed networks can create a more porous data center perimeter. Once hackers (or a disgruntled employees) breach the perimeter, they can easily expose potential weaknesses inside the network. Nearly 85% of insider attacks or “privilege misuse” used the corporate local area network (LAN), according to a 2014 Verizon security report. Hackers are now using corporations’ networks against them.
Perimeter-based security need to evolve to better secure our critical data as it goes the road with our employees, to the cloud, and around the network. The weaknesses of the perimeter-based approach were on display when hackers accessed critical data inside the networks at Sony, Target and Home Depot.
A modern data-focused enterprise must add encryption and security within the network to strengthen existing hardware and virtualization security. With security focused on each enterprise application inside the network, organizations can secure critical data if it is traveling across the network to branch offices, accessed via hotel wifi, or residing in the public cloud.
Dwight Koop is cofounder and COO for Cohesive Networks. His experience spans enterprise IT and entrepreneurial startups. Dwight was global head of data center operations and security for Swiss Banks capital markets and O’Connor and Associates. He was one of the founders and an EVP of the Chicago Board Options Exchange during its early and rapid growth years. As COO of Bedouin, Inc, he was instrumental in its acquisition by Borland, and as a VP at Borland he played a significant role in its acquisition of Starbase. He was also COO of Signet Assurance, where he is proud to say his engineering team consisted of Eric Hughes, the noted cryptographer, and Bram Cohen, the founder of BitTorrent. Mr. Koop is also the Managing Member of Leporidae Holdings LLC, a private asset management company. Leporidae recently sold its interest in Rabbit Technologies Limited to VMWare.