Skip to main content

Vox of Dartmouth, the College's newspaper for faculty and staff, ceased publication in February 2010. For current Dartmouth news and events, see:

· Dartmouth Now
· Periodicals
· Events Calendar

Measuring Up

Fortune 500 executives report they need better tools to gauge the benefits of cyber security

The need for simple tools to measure the benefits of cyber security enhancements was ranked as the number one imperative among security leaders at Fortune 500 firms, according to a report published by the Dartmouth's Institute for Information Infrastructure Protection (I3P) and the Tuck School of Business's Center for Digital Strategies (CDS).

Eric Goetz and Eric Johnson
Eric Goetz (left), assistant director for research and analysis at the I3P, and Eric Johnson, professor of operations management at Tuck School. (Photo by Joseph Mehling '69)

The report, "Embedding Information Security Risk Management into the Extended Enterprise," summarizes the findings from a workshop cohosted by CDS and I3P in March. The full report is available online.

In the workshop, chief information security officers (CISOs) from Fortune 500 firms—including 3M, Align Technology, Bank of America, Bose, BP, Cisco Systems, Colgate, Dell, Dow Chemical, Eastman Chemical, Eaton, Hewlett-Packard, IBM, Lowe's, Medtronic, Staples, Time Warner Cable, and the U.S. Army—debated the challenges of organizing for security. The objective was to develop an action plan for the next 12 to 18 months.

Participants agreed that they especially needed tools, or metrics, that could measure the benefits, such as whether security initiatives save money or add business value, of a secure networking infrastructure. They felt that developing composite metrics that can be shared across organizations would lead to better decision-making. Other priorities mentioned in the report include integrating information security into a company's larger strategic plan, and fostering a culture that respects and values information security.

"In today's outsourced enterprises, effective risk management is quickly becoming a source of competitive advantage," says M. Eric Johnson, professor of operations management at the Tuck School and director of the CDS. "The technology community has made much progress in the past five years improving the technical aspects of security. The hardest remaining issues involve people and organizations."

Workshop participants emphasized that company-wide educational programs are crucial to building a secure organization. "We clearly heard from CISOs that focused education is helpful, but an ongoing discussion around security must come from the top," says Martin Wybourne, vice provost for research and chair of the I3P.

According to Eric Goetz, assistant director for research and analysis at the I3P, globalization and outsourcing have increased the challenges of securing the extended enterprise. The flow of information within and between firms is increasing, with more sensitive information migrating to devices at the edge of the network. "Protecting intellectual property in this environment is increasingly challenging, and requires a change in security thinking from a technology to a behavior focus," he says.

The I3P is a national research consortium of universities, federally funded labs, and nonprofit organizations, managed by Dartmouth and funded by the Department of Homeland Security and the National Institute of Standards and Technology. It was established to address security issues facing the U.S. information infrastructure. The Center for Digital Strategies promotes the development and practice of digital strategies—the use of technology-enabled processes to harness an organization's unique competencies, support its business strategy, and drive competitive advantage.

By SUSAN KNAPP

Questions or comments about this article? We welcome your feedback.

Last Updated: 12/17/08