Enterprise IT Security: The Wake-Up Call is Getting Louder

I attended two local industry events recently that highlighted the substantial gap that exists between hackers’ abilities and the average corporation’s information security defenses. While we’ve been watching the security industry closely and work with several portfolio companies in this area, it’s nonetheless unsettling how far behind the average corporation is, and how daunting the chasm is between where they are and where they need to be.

At a breakfast last week hosted by the Boston Chamber of Commerce, a panel of security experts discussed how U.S. companies, even small and medium-sized, are more and more exposed to cyber threats from organized crime, nation states, and terrorist organizations. These are far from the teenager in pajamas hacker stereotype, the panel warned.

“There are two types of companies,” said Richard Clarke, former security consultant to Presidents Reagan, H.W. Bush, and Clinton. “Those that have been compromised and know it, and those who have been compromised and don’t.” Art Coviello, executive vice president of EMC and executive chairman of RSA, argued that business leaders need to recognize IT security as a real cost of doing business today. Organizations need security audits as much as they need financial audits, he said. The current prospects for businesses effectively defending themselves aren’t good, according to another panelist, hacker and IT security consultant Chris Goggans. Most companies are in awful shape and very exposed to outside attack, he said, and they are way behind what a cutting-edge hacker can do.

The panel discussed a growing concern for organizations today: business espionage. The Chinese government, for example, is funding groups that steal U.S. intellectual property and give it to Chinese companies. The panel agreed that much more must be done to combat the problem, starting with organizations increasing security as a priority and taking a closer look at security practices.

A dinner program on infosecurity I attended last month focused on the same security issues plaguing businesses today. Dinner guests, including senior IT people and CSOs from banks, hospitals, insurance companies, etc., discussed that while they’re doing the best they can with limited budgets and resources, they are still no match for sophisticated hackers. In addition to IT security threats, this discussion also touched on the insider threat. In an era of WikiLeaks and Snowden, it is seemingly impossible to plug all the varied data loss holes.

These events painted a clear and dark picture of how much IT security threats have outpaced the enterprise’s ability to combat them. While this gap has resulted in some innovative solutions that provide a fresh approach to IT security, I agree with Coviello’s assertion that organizations haven’t realized the extent to which IT security has become a cost of doing business today. I am encouraged that through events like these more executives are becoming aware and getting educated on the scale of the challenge. As an overall business community, I can see that we are making progress in understanding the problem, but more must be done before it’s solved.