Should Corporate Executives Be Responsible for Security?
Amit Yoran, the current CEO of the cyber exposure company called Tenable Network Security, has recently revealed that corporate executives are regularly downplaying the digital security threats they are facing. And given Yoran’s sterling track record and considerable experience as founding director of the U.S. Computer Emergency Readiness Team under the Department of Homeland Security, this is no small matter. As a former executive of Symantec and RSA, two highly reputable security companies, he has the perspective of both a government bureaucrat and a successful business executive in the private sector.
Yoran’s unique experience working in both the private and public sectors have allowed him to gain a broader view of precisely how organizations currently assess and manage their IT security arrangements. Amit says, “After the Equifax data breach and the WannaCry ransomware attack, there needs to be more emphasis on executive security responses.”
Anything from neglect to pure ignorance can cause companies to become lax with their IT security setup, essentially allowing the responsibility to fall on the shoulders of the decision-makers, otherwise known as the executive team. For example, the company Equifax made a huge mistake after data of 146.6 million customers—like social security numbers, birth dates, and other personal information—was leaked through a successful attack. The company had no choice but to disclose the breach and its fallout, as they were legally required to submit a highly detailed report to the Securities and Exchange Commission.
Because corporate executives are often motivated by profit, they tend to view IT security spending as an inconvenient and unnecessary expenditure. Yoran maintains, “They need to bring a new discipline and process to managing, measuring, and reducing cyber risk. They need to know, what is the state of security? How exposed am I?”
Out of a motivation to change the executive mindset, Yoran joined Tenable, then just a 16-year-old cyber exposure company, and began a new market for vulnerability-management software with the mission of educating corporate leaders in best practices of IT security spending. With a goal of enhancing their foundation through improved policy, Tenable created plans to implement future changes in the digital security of the world.
Tenable.io, the platform Yoran promotes, has tight integration with Google Cloud, Amazon Web Services, and Microsoft Azure. Yoran hopes the corporate community becomes practical by closing down vulnerabilities and tightening network security before spending on new technologies like artificial intelligence (AI) and virtual reality.
But all ignorance and neglect aside, what about affordability? According to a reputable survey, 17% out of a pool of 1,600 corporate decision makers in six countries lack the funds to make this dream a reality, and 16% simply don’t have the knowledge or in-house expertise to deal with such security issues.
A risk-value study by NTT Security shows that when confronted with a cyber attack, 600 firms in 12 countries will resort to paying hackers as a solution. While the companies themselves will likely solve their immediate IT security problems this way, such an approach does not necessarily protect the customers they do business with.
Change has to start somewhere. Yoran concluded, “People gave me a strange look when I left RSA, which is a billion-dollar company. But the security attack landscape requires companies like Tenable.”