Fortune 500 executives report they need better tools to gauge the benefits
of cyber security
The need for simple tools to measure the benefits of cyber security
enhancements was ranked as the number one imperative among security leaders at
Fortune 500 firms, according to a report published by the Dartmouth's Institute for Information Infrastructure
Protection (I3P) and the Tuck School of Business's Center for Digital Strategies
(CDS).
Eric Goetz (left), assistant director for research and analysis at the I3P, and
Eric Johnson, professor of operations management at Tuck School. (Photo by
Joseph Mehling '69)
|
The report, "Embedding Information Security Risk Management into the
Extended Enterprise," summarizes the findings from a workshop cohosted by
CDS and I3P in March. The full report is available online.
In the workshop, chief information security officers (CISOs) from Fortune
500 firms—including 3M, Align Technology, Bank of America, Bose, BP, Cisco
Systems, Colgate, Dell, Dow Chemical, Eastman Chemical, Eaton, Hewlett-Packard,
IBM, Lowe's, Medtronic, Staples, Time Warner Cable, and the U.S. Army—debated
the challenges of organizing for security. The objective was to develop an
action plan for the next 12 to 18 months.
Participants agreed that they especially needed tools, or metrics, that
could measure the benefits, such as whether security initiatives save money or
add business value, of a secure networking infrastructure. They felt that
developing composite metrics that can be shared across organizations would lead
to better decision-making. Other priorities mentioned in the report include
integrating information security into a company's larger strategic plan, and
fostering a culture that respects and values information security.
"In today's outsourced enterprises, effective risk management is
quickly becoming a source of competitive advantage," says
M. Eric Johnson, professor of operations management at the Tuck School and director of
the CDS. "The technology community has made much progress in the past five
years improving the technical aspects of security. The hardest remaining issues
involve people and organizations."
Workshop participants emphasized that company-wide educational programs are
crucial to building a secure organization. "We clearly heard from CISOs
that focused education is helpful, but an ongoing discussion around security
must come from the top," says Martin
Wybourne, vice provost for research and chair of the I3P.
According to Eric Goetz, assistant director for research and analysis at the
I3P, globalization and outsourcing have increased the challenges of securing
the extended enterprise. The flow of information within and between firms is
increasing, with more sensitive information migrating to devices at the edge of
the network. "Protecting intellectual property in this environment is
increasingly challenging, and requires a change in security thinking from a
technology to a behavior focus," he says.
The I3P is a national research consortium of universities, federally funded
labs, and nonprofit organizations, managed by Dartmouth and funded by the Department of Homeland Security and
the National Institute of Standards and
Technology. It was established to address security issues facing the U.S.
information infrastructure. The Center for Digital Strategies promotes the
development and practice of digital strategies—the use of technology-enabled
processes to harness an organization's unique competencies, support its
business strategy, and drive competitive advantage.
By SUSAN KNAPP
|
RSS/XML Feed