Agencies face 'catch-22' in planning for cyber threats

Wednesday - 10/9/2013, 2:38pm EDT

Hord Tipton

Download mp3

The online ecosystem of apps and mobile devices is creating a perfect storm of incoming threats and financial challenges.

Hord Tipton, executive director of the information security non-profit (ISC)˛ and the former chief information officer of the Interior Department, told In Depth with Francis Rose recently that agency executives and chief experience officers are in a constant state of "security catch-22."

"Our executives at this point have realized they're in a very turbulent, paradoxical time," he said. "They've got some of the toughest decisions of their careers in enterprise security. It's at the top of the list of their key priorities right now."

Executives are cognizant that they must morph their organizations in order to keep up with the advances in next generation technologies and applications. At the same time, they must make security a priority in order to protect their intellectual properties from ever-evolving threats.

"It becomes a catch-22 in that although they realize that the threats are on the increase, yet many of their security dollars and resources have been earmarked for compliance," Tipton said.

In many cases that means agencies are simply checking checklists rather than actually applying money to coming up with solutions to the security threats.

"Do you spend your money on prevention or do you spend it on mitigation and restoration of your systems?" Tipton asked. "Because, at this point, there's an increasing notion that it's not a matter of if we get hit, it's a matter of when we get hit and we have to be prepared to restore ourselves in the shortest possible time."

(ISC)˛ recently released "A View From the Top- The (ISC)˛ Global Information Security Workforce Study CXO Report," which says more and more executives are realizing they must make a decision on this issue one way or the other. More than 1,200 top security executives from around the world were surveyed for the report.

"They're having to make these tough decisions," Tipton said. "They're having to make convincing arguments to the financial aspects of their companies and their governments and make good cases that this is a real problem and it needs some real solutions."

While the use of mobile devices is often touted as contributing to an increase in productivity, the majority of the executives surveyed — some 70 percent — see those devices as a major threat to their organizations' security.

Executives also saw the evolving nature of the security threats as being a major concern for their organization. It's no longer a matter of someone just trying to break into a system from the outside, phishing and other insider threats are examples of the way systems can be vulnerable to attacks.

"Until we get better software, we get more routine awareness training within the users of all of the tools that are out there, we're not going to make any progress on the problem," Tipton said. "It's going to get worse as the days go by."

RELATED STORIES:

Threat information sharing builds better cyber standards, expert says