Archived CEO Blogs

“If you don’t understand the risks, you don’t understand the costs,” security guru Bruce Schneier advised during a TED talk.

He was discussing security in the abstract — but it got me thinking about IT security in particular and the difficulty many executives face trying to determine if their organizations are safe from cyberattack.

The problem is that these conversations nearly always turn technical. Soon, a flurry of technology acronyms — confounding but apparently reassuring — begin flying around the room.

And, reports Schneier, it works. People, he says, will “respond to the feeling of security and not the reality.”

So what can a CEO do to understand the reality of security risk and grasp what the actual cost of security failure might do to the organization? 

According to one expert, U.S. enterprises lose $1.2 trillion each year from IT failures . Although this figure gets debated, everyone agrees it’s a whole lot of money.

These losses — and the downtime that triggers them — tend to be caused by the mundane rather than the spectacular, as recent Forrester/Disaster Recovery Journal research shows:

Sadly, one can make the argument that if software vendors did a better job of integrating security testing throughout the development lifecycle, our current struggles with application security might be less challenging.

In fact, however, software vendors are late to the party. Their security testing tends to be tacked on to the end of development lifecycles as an afterthought, which may account for one recent study ’s startling conclusions that:

98% of applications carry at least one application security risk (and each risk may signal the presence of multiple vulnerabilities)
80% of applications showed more than five risks
The average application registered 22.4 risks

Did you know that your applications are the most vulnerable part of your IT operations?

These days, problems with apps — many of them web-based apps — account for the majority of information security breaches. Over the last year or so, and going forward, application-level attacks have emerged as the preferred vector for gaining access to sensitive (and valuable) data. What’s more, the threats are becoming increasingly acute as complex web apps, as well as mobile apps, play ever greater roles in our business and personal activities.

App vulnerabilities for sale — cheap at the price?

As I detailed in my last post, file sharing/syncing is quickly transforming how, where and when we work by making our apps and data available and usable on any Internet-connected device. Even if your organization doesn’t have an enterprise-grade file sharing/syncing capability in place, odds are your employees have attempted to make their lives easier by implementing their own consumer-grade alternatives.

As we venture into 2014 expect to hear a lot more about file sharing/syncing. Not surprising given that 25% of information workers now use file sync and share services in their jobs, according to Forrester Research — up from just 5% in 2010.
Anywhere, Anytime, Anyone
And I believe those numbers will continue to climb. Despite sounding mundane, file sharing/syncing (thanks to the cloud and BYOD) has begun to significantly reshape how we work with each other. By making files, documents and application data available and usable on any device, file sharing/syncing empowers employees to work anywhere, anytime, with anyone — using whatever device is at hand.

Lest you decide to discourage such behavior, consider that BYOD provides more than eight hours of additional productivity per week as a BYODer normally works beyond the time-and-place parameters of the traditional office.