Smart Enterprise Magazine

Volume 6, Number 3, 2012

Issue link:

Contents of this Issue


Page 19 of 23

Smart Viewpoint How Tighter Security Can Yield Business Innovation "Close to 80 percent of software developers ... either have no process — or are using an ad hoc process for building security controls into their applications." When it comes to addressing security, many enterprises are still too slow. Get up to speed with these four tips. | By Larry Ponemon A proactive security approach by CIOs can actually enable IT to become more innova- tive — if it's done right. How can you turn mandates into benefits? For starters, as IT becomes less focused on playing catch-up after hacks and breaches occur, it is freed to build out more-efficient networks and systems — and to create innovative new products and services for the business. As a result, the business itself can become more competitive and profitable as IT takes advantage of innovative and low-cost technologies such as the cloud and social media platforms. Moreover, IT finally can become the go-to resource for hardened mobile devices that staffers are clamoring for so they can do their work anytime and from anywhere. Too often, I believe that what's really holding back this scenario is lack of top management buy-in. Many enterprises are not yet fully addressing security with sufficient urgency. Indeed, rather than being proac- tive toward security, they're still in reactive mode. This means that with every move to the cloud or with every social media and bring-your-own-device (BYOD) deployment, the business becomes even more vulnerable to potential new security risks. In fact, at the Ponemon Institute, we're finding that security doesn't make the top five concerns among chief executive officers (CxOs) and worse, not even the top 10. Our March "2012 Application Security Gap Study: A Survey of IT Security & Developers" shows disconcerting security trends as well. For example — close to 80 percent of software developers tell us they either have no process — or are using an ad hoc process for building security controls into their applications. Sure, innovation is great for IT and the business, on paper. With the advent of technologies such as cloud computing and virtualization, new products and services can potentially go to market faster than ever, boosting a company's bottom line and even helping spur the economy. But it also means that the cycle of development, testing and launch of new products and services is faster as well — which typically means that security is bypassed. And that' s hitting the business where it hurts. 20 SMARTENTERPRISEMAG.COM We're confirming that over and over again with the "Ponemon Post-Mortem" analyses we do for enterprises hit by major breaches or hacks. For one software company that builds apps for mobile devices, we discovered it was outsourcing quite a bit of its code-building activity. This practice would be fine if the company had a process in place to thoroughly test the code before launching its products into the marketplace. But it didn't. As a result, we found many instances of malicious code (such as denial- of-service malware) buried deep inside several of its app products. The good news is that the company is using this information about breaches to develop innovative ways to build security right into its testing environment, well before malware can infect one of its apps. This is translating into more secure products — which ultimately will build trust and customer loyalty for the firm going forward. Small Steps Forward Despite this type of reactive response to security, we are also seeing some small, positive shifts by businesses. For example, we recently found more organizations deploying encryption to secure their data. Additionally, more firms are starting to pur- chase cyberinsurance policies suggesting that CxOs are finally taking security somewhat seriously. (See related article here.) Here are four key recommendations: n Be proactive and innovative — not reactive. Don't wait until hacks and breaches hit. Begin allo- cating at least some resources (beyond what you've budgeted so far) solely around security. CxOs need to be aware that IT security is more than just an IT "cost." Executives need to understand that bad security can cost the business money, reputation and resources. Ponemon found that in 2011 alone, the average U.S. data breach cost companies $194 per compromised record. You do the math. LARRY PONEMON is Chairman and Founder of Ponemon Institute, which provides research and strategic consulting to the private and public sectors. Read more...

Articles in this issue

Links on this page

Archives of this issue

view archives of Smart Enterprise Magazine - Volume 6, Number 3, 2012