Skip to main content

This website is no longer being updated. Visit Dartmouth Now for all news published after June 7, 2010.

Dartmouth News
>  News Releases >   2006 >   June

Fortune 500 executives report they need better tools to measure the benefits of cyber security

Dartmouth College Office of Public Affairs • Press Release
Posted 06/07/06 • Susan Knapp (603) 646-3661

The need for simple tools to measure the benefits of cyber security enhancements was ranked as the number one imperative among security leaders at Fortune 500 firms, according to a report published by the Institute for Information Infrastructure Protection (I3P) and the Tuck School of Business's Center for Digital Strategies (CDS), both at Dartmouth College.

M. Eric Johnson and Eric Goetz
Eric Goetz (left), assistant director for research and analysis at the I3P, and Eric Johnson, professor of operations management at Dartmouth's Tuck School. (Photo by Joseph Mehling '69)

The report, entitled "Embedding Information Security Risk Management into the Extended Enterprise," summarizes the findings from a workshop co-hosted by CDS and I3P in March 2006. The report is online.

In the workshop, chief information security officers (CISOs) from Fortune 500 firms—including 3M, Align Technology, Bank of America, Bose, BP, Cisco Systems, Colgate, Dell, Dow Chemical, Eastman Chemical, Eaton, Hewlett-Packard, IBM, Lowe's, Medtronic, Staples, Time Warner Cable, and the U.S. Army—debated the challenges of organizing for security. Executives discussed how to embed security into the organization, touching on issues of organizational structure and culture; measurement; and investment. The objective was to develop an action plan for the next 12-18 months.

The participants agreed that they especially needed tools, or metrics, that could measure the benefits of a secure networking infrastructure, such as whether security initiatives save the company money or add business value. They said that developing composite metrics that can be shared across organizations will lead to better decision making. Other priorities mentioned in the report include integrating information security into a company's larger strategic plan, and fostering a culture that respects and values information security.

"In today's outsourced enterprises, effective risk management is quickly becoming a source of competitive advantage," said M. Eric Johnson, a professor of operations management at Dartmouth's Tuck School and the Director of the CDS. "The technology community has made much progress in the past five years improving the technical aspects of security. The hardest remaining issues involve people and organizations."

Workshop participants emphasized that company-wide educational programs are crucial to building a secure organization. "We clearly heard from CISOs that focused education is helpful, but an ongoing discussion around security must come from the top. Middle management may represent one of the most important challenges to transforming an organization," said Martin Wybourne, vice provost for research at Dartmouth and chair of the I3P.

Security executives viewed finding and developing security talent as crucial to building successful security programs. The biggest challenge is finding people with technical expertise and the ability to understand the business and communicate the business case for security.

According to Eric Goetz, assistant director for research and analysis at the I3P, globalization and outsourcing have increased the challenges of securing the extended enterprise. The flow of information within and between firms is increasing, with more sensitive information migrating to devices at the edge of the network. "Protecting intellectual property in this environment is becoming more and more challenging, and requires a change in security thinking from a technology to a behavior focus," said Goetz.

The report states that the CISOs asserted that customers and business partners are increasingly demanding greater levels of security. A further security driver is the need to protect a company's reputation, especially in an environment where stories of loss of customer information and database hacks are commonplace. The CISOs agreed that investment in security must move from reactive add-ons to proactive initiatives that are aligned with a company's strategic goals. Another issue that emerged from the workshop is that the organizational structure of businesses is subject to frequent change, mainly in response to changes to a company's operational environment, business goals, the external risk environment, or needing to comply with new regulations.

About the I3P
The Institute for Information Infrastructure Protection (I3P) is a national research consortium of universities, federally-funded labs, and non-profit organizations, which is managed by Dartmouth College and funded by the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST). The I3P was established to address security issues facing the U.S. information infrastructure.

About the CDS
The Center for Digital Strategies at the Tuck School promotes the development and practice of digital strategies--the use of technology-enabled processes to harness an organization's unique competencies, support its business strategy, and drive competitive advantage. The center addresses issues throughout the extended enterprise, including globalization, organizational change, and information security.

Dartmouth has television (satellite uplink) and radio (ISDN) studios available for domestic and international live and taped interviews. For more information, call 603-646-3661 or see our Radio, Television capability webpage.

Recent Headlines from Dartmouth News: