Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/26/2016
11:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

What's At Risk When CISOs Say 'No'

Employee satisfaction and hundreds of billions in revenue when CISOs don't look for creative ways to secure innovative change.

Security leaders have long heard from pundits and their own executives that they've got to stop infosec organizations from being the departments of 'No' if they want to maintain relevance in today's innovation economy. However, many of the business arguments for rapid adoption of game-changing technology and methods have been made with too many platitudes and vague assertions and not enough statistical evidence. The fast and loose nature of some claims have given risk-averse CISOs enough ammunition to wantonly act as organizational speedbumps in the path of innovation.

But a pair of studies out this week offer up some real numbers and empirical backing to the reasons why CISOs with a stubborn streak need to rethink how they're helping their organizations manage risk. The numbers offered by these reports provide more proof than just gut feelings pointing to how innovation drives top-line revenue growth, bottom line efficiency, retention of key employees and everything in between -- and they're worth a look by all lsecurity pros who default to 'no.'

First up was a study by Adobe that offers some long-awaited statistical evidence for claims that technology afforded by BYOD, pro-sumer SaaS services and the like can impact employee satisfaction and retention efforts. Called "Work In Progress," the survey polled over 1,000 U.S. workers to examine attitudes about working conditions and technology that impact career decisions. Most relevant to this discussion is the finding that 81% of those questioned say state-of-the-art technology is important at work, outranking food and beverage, office design and on-site amenities. In other words, forget the free candy wall -- these workers want their tablets loaded and ready to use the apps they need to get through the day as efficiently as possible.

According to 85% of those polled, technology makes them more productive; employees who say that their company is "ahead of the curve" love their work twice as much and feel about twice as creative, motivated and valued compared to those who rate their companies as being "behind the times." The problem is that only one in four U.S. workers think that their company is ahead of the curve. And while the study didn't look for the link you can bet that for at least a plurality of those behind-the-times security issues have something to do with the lag.

Meanwhile, at the same time as this study was released, another one from Cisco took a look at the money left on the table when organizations in the financial market fail to quickly adopt disruptive technology. The study calculated the digital Value at Stake (VaS) for retail banks from 2015 to 2017, potentially available to capture through investments in disruptive technology like analytics, mobility, video and virtualized delivery models.  

According to Cisco, that number is a whopping $405.3 billion. Unfortunately, last year only about 29% of that opportunity was captured.

“Too many banks are moving slowly or not at all. By waiting to digitize their businesses, or by delaying new technology initiatives, banks risk not only missing out on the potential dollar VaS but are actually at risk for being put out of business altogether," says Jason Bettinger, director of financial services for Cisco’s business transformation group.

A big part of that slowdown can be laid at the feet of cybersecurity programs unable to move quickly. Cited in this week's report is a study of over 1,000 senior finance and line of business executives, 71% of whom said that cybersecurity risks and threats hinder digital innovation at their organizations. Six in ten said their organizations are reluctant to innovate in areas like digital products and services due to perceived risks, with delays occurring in digital initiatives around omnichannel capabilities, wealth management and asset transfers, mobile banking and mobile payment capabilities, self-service and virtualized delivery models.

Related content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
enhayden
50%
50%
enhayden,
User Rank: Strategist
5/27/2016 | 1:03:54 PM
Useful Advice to CISOs
This article offers an excellent commentary on how CISOs can certainly be a barrier to innovation; however, in my past experiences as a CISO I often found that the CISO and security organization was not involved in the project early enough.  So, when the CISO discovered the project was "a-foot" or the CISO was finally invited to participate in the project deployment, it was often too late.  Hence, the CISO was simply doing their job identifying security flaws and vulnerabilities that should be fixed BEFORE deploying the technology.

Hence, the CISO is viewed as the "NO" person when really the project flow did not include security early enough in the project.

One other approach the CISO and security organization should offer is one of "...we won't stop the project but we want to offer ideas and ways to make the project more secure..."  Hence, this philosophy is less of a threat to the project manager and more of a positive contributor.

Again, thanks for the article and the examples from Adobe, etc.   

Ernie Hayden CISSP CEH GICSP(Gold) PSP
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18623
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18625
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2019-11843
PUBLISHED: 2020-06-02
The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).
CVE-2020-5410
PUBLISHED: 2020-06-02
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL t...