Security strategies: from IT to the boardroom - Richard Archdeacon

With the threat of cybercrime looming larger than ever over companies, senior executives are beginning to take a much more proactive approach in risk prevention. Finance Director Europe meets Richard Archdeacon, head of security strategy at HP Enterprise Security Services, to discuss this attitude shift, the rules to safely operating in the cloud and the need to align data security with overall business strategy.

There can be no doubting that cybersecurity is an issue now well entrenched in corporate consciousness. Increasingly, businesses, across various verticals, are looking to invest in the newest technologies to counter potential data breaches.

This is happening on a global scale. In November, the Wall Street Journal reported that financial services companies in the US are forecast to bolster their cybersecurity budgets by $2 billion over the next two years.

The UK, at the behest of Whitehall, is also said to spend more on cyberdefence than any other European nation, so as to safeguard the assets of its major companies.

Nonetheless, 2014 might well be remembered as the year of the hacker. Over the past 12 months, several public multinationals, including eBay, Yahoo and Barclays Bank have been subject to well-publicised data security breaches.

In the case of the latter, which saw the theft of data files of 27,000 customers - including national insurance and passport numbers - a vitriolic fallout ensued. Speaking at the time, Liberal Democrat MP Tessa Munt deemed the leak to be "catastrophic" and lobbied for Barclays to face legal prosecution.

The mention of cost is salient. In the UK, if a company is found guilty of leaking personal data, is can be hit with fines of up to £500,000 - as in the recent case of Barclays - as imposed by the Information Officer's Office.

Such reputational damage, transmuted through negative column inches, represent the ultimate detriment for companies. In the regulatory environment, managing compliance is an increasingly complex issue for organisations and will be critical moving forward.

Cybercrime watch

The regularity and critical nature of breaches has transformed the once-perpetuated image of the lone cyberhacker operating from the confines of their bedroom to now being large crime syndicates or even nation/states. According to Richard Archdeacon, head of security strategy at HP Enterprise Security Services, cybercrimes are becoming increasingly sophisticated, as perpetrators deploy new and more advanced means of hacking companies' systems and databases with alarming regularity.

"The first thing to remember is that these cybercriminals are motivated by money," says Archdeacon. "They work within a sophisticated and flexible marketplace - buying and selling capabilities - which enables them to mount focused attacks very quickly. We, the companies, are up against groups of highly sophisticated, business-oriented people."

The group has also been vocal over the need for businesses to improve their understanding of the risks associated with data breaches. A study, '2014 Executive Breach Preparedness Research Report', commissioned by HP, and published in October, revealed that more than 70% of executives believe their organisations have insufficient knowledge of the implications of data violations.

Yet, somewhat conversely, of the 500 senior executives in the UK and US who took part in the survey, 79% claimed that a C-suite response was imperative in the event of a cyberattack. This marks a considerable attitude shift in the sense of gravity afforded to breaches, in contrast with a decade ago.

"Breaches are no longer just an IT issue," explains Archdeacon. "It's not only security teams leading the coordination against attacks. Today, the CIO, COO or CFO is part of the dialogue. As a core business issue, it is becoming part of their job to understand the risks associated with cyberattacks, and to respond appropriately."

New Style of IT

The convergence of business operations and IT being influenced by solutions such as the cloud has undoubtedly raised issues over cyberstrategy. Industries such as the financial-services market continue to embrace cloud-mobility solutions as a way of reducing costs and improving efficiency. This ongoing shift towards "New Styles of IT", as Archdeacon puts it, needs to be taken into account in order to mitigate undue problems.

"If we look at cybersecurity from a strategic point of view, there are a number of influences that we have to understand, such as cloud-mobility solutions," he says. "The cloud allows enterprises to take advantage of new business opportunities, but for it to be truly effective, there needs to be an understanding of the security implications.

"Just as most companies wouldn't offer a poor-quality product to the market, you wouldn't offer an insecure product to the market. Because if it isn't secure, you will end up suffering adverse business impact, brand damage and extra costs. Yet, if you get it right, you can actively take greater advantage of this new style of IT."

The growing involvement of senior executives in data-risk management has also created a direct coalition between cybersecurity and business strategy. In contrast to past measures of dealing with breaches - almost always done reactively - finance directors are now allocating greater budgetary outflows to pre-empt and cut off potential risks, with the business model firmly in mind.

"In the past, security was mostly about telling people not to do things; now, it is about ensuring a business can carry on securely and confidently," claims Archdeacon. "If a breach took place, a company would simply install more technology and that would be the end of it until it happened again. Today, it's about companies managing a series of risks strategically.

"The key to security is having a structured end-to-end approach, with a very clear strategy, which complements the business, operational and financial strategies. They need to be aligned."

In order to achieve this, companies also need to be less internal in their outlook and adopt a fuller appreciation of cyber-issues at large, argues Archdeacon. The introduction of new technology can provide a picture of the threat landscape on a country-by-country basis, can certainly help, but awareness needs to be ingrained at a personnel level.

"A number of questions need to be asked, so as to understand risks," he says. "What's the trend of attacks? What are the latest issues that need to be resolved? How will this threat impact our business? How does it affect our overall business goals? In doing this, you can then prioritise what you need to be working on to reduce that risk.

"A risk-based approach is also significant because you can better align cost with your security functions. You look at where you need to be stronger and how to spend your money more effectively."

Managing the risk

As has been evidenced this year, cybercrime shows no sign of letting up. With an underground market that appears to be as advanced and well structured as its security counterpart; fraudsters can be expected to develop more specialised software systems to illegally procure data from organisations.

Such is its seriousness on the continent, Europol, in a recent report, advocated tougher laws for investigating and prosecuting cybercrime, including greater data retention for lawmakers.

Closer to the corporate side, IT players will need to play an invaluable role in helping companies stay one step ahead. Archdeacon believes they are up for the task. On the back of its aforementioned survey, HP has launched a free online tool kit to help executives assess their organisation's current levels of vigilance. This constitutes a breach-response playbook - consisting of scenarios and best practices - and webinars designed to help in the drafting of breach-preparedness plans.

However, he reiterates that the notion of cybersecurity needs to extend beyond one-stop technological solutions, and should be approached holistically.

"We are seeing new security services and technologies introduced to the market all the time," he says. "Yet, they still need to be implemented in a structured framework. The response to any cyberthreat is not simply about new technologies, but how you apply and implement them within the organisation.

"So what we are seeing today is companies either choosing to do this themselves, or collaborating with other parties, who can manage security services for them and bring that capability to them more rapidly and cost-effectively."

"You only need to open any newspaper, switch on the TV, or listen to the radio, and you will see the mention of a security breach somewhere," says Archdeacon. "From the executives we have heard from, the key issue that needs to be managed during a breach is potential damage to an organisation's reputation and brand."

Richard Archdeacon, head of security strategy at HP Enterprise Security Services.