The increasingly frequent and disturbing series of high-profile security breaches, including the announcement in early February by Anthem Blue Cross that millions of policy holders had their confidential data hacked and even more recent breaches, has led to a realization that security is now a C-level and board concern in virtually every company. From now on, any CEO who has permitted his organization to operate lax security controls, as appears to have been the case at Anthem, probably faces serious censure if not the loss of their job, and the board will almost certainly face increasingly costly customer, shareholder and maybe even employee lawsuits. This development promotes the importance of proactive security measures over reactive band-aids.
Sony’s attention-grabbing and highly embarrassing breach in December last year provided a vivid precursor to Anthem’s massive data loss. Combining the two events, security has definitely become an urgent concern for mainstream corporations and government agencies of all types and sizes. As security expert Ed Felten commented in his Dec. 23 blog, “The biggest open question is how this will affect national policy. Thus far national policy has taken an eye-in-the-sky approach that protects a perimeter encompassing government and some big companies, and focuses on surveillance, monitoring, and response rather than broad deployment of protective technologies. Whether the Sony breach is a failure of government policy is debatable—it’s not clear if Sony Pictures is inside the perimeter, and anyway current policy doesn’t emphasize deploying the types of measures that might have protected Sony or reduced the damage—but it will be seen as a failure regardless. The likely response will be to double down on the current strategy. … Best-case, 2015 will be the year we finally get serious about addressing information security and privacy vulnerabilities. More likely, we’ll just do a bit more of what we were already doing—and the breaches will continue.”
I prefer to be a bit more optimistic than Mr. Felten, at least with respect to how leaders rather than laggards (example: Sony) will behave. The combination of brand embarrassment, legal consequences, and financial losses will, in my opinion, motivate boards and CEOs to do much more to stay out of harm’s way even though security experts agree that hackers seem often to be inventing new ways to breach security defenses, staying one step ahead much of the time. This will usher in a slew of new technology solutions and security experts with track records in the NSA or DOD will be brought in to senior management with enticing compensation packages. Be prepared for a sudden over-supply of VC-funded lemmings, many of which won’t make the cut, as solutions demanded by customers outstrip the capabilities of copy-cat players. However, in amongst the me-too companies we should expect to see some adventurous new value propositions enabling organizations to get ahead of the curve by adopting hacker-avoiding strategies.