New Booz Allen White Paper Addresses Cyber Threat Environment

Holistic Cyber Risk Management Program Must "Predict and Prevent" in Today's Complex Threat Environment, Says New White Paper

February 20, 2014

STUDY EXAMINES CONCERNS OF INFORMATION SECURITY LEADERS ACROSS FIVE INDUSTRIES, OFFERS ACTIONABLE GUIDANCE FOR CISOS AND CROS

McLean, VA — In today’s world of dynamic and complex cyber threats, Chief Information Security Officers (CISOs) and Chief Risk Officers (CROs) from commercial and government enterprises are evaluating how to move from a react and defend stance to a holistic cyber risk management program that is focused on the ability to predict and prevent. In response to IT and security leaders’ needs for information on how to more effectively maintain data integrity and security, Booz Allen Hamilton (NYSE: BAH) has released the results of a company-sponsored IDC White Paper, “Shifting Risks and IT Complexities Create Demands for New Enterprise Security Strategies.”(February 2014)

“Shifting Risks and IT Complexities Create Demands for New Enterprise Security Strategies.”

The study, which captures the results of interviews with information security executives across the financial services, federal government, large supply chain manufacturing, oil and gas and pharmaceutical sciences industries, gives security decision-makers practical, actionable information on the current threat landscape, the changing role of the CISO and CRO, and the consequential need for an end-to-end security and service partner.

“Organizations are learning that cyber security threats create both tangible and intangible impact on their abilities to do business and function,” said Christopher Ling, executive vice president, Booz Allen. “It may be easy to calculate the impact of an attack in terms of staff time, replacement costs, lost productivity, and the cost of compliance and meeting contractual obligations, but it is more difficult to determine the loss of brand, reputation and relationships and to tally liabilities. Damage to intangible assets often does not immediately come to light, but it can have significant long-term impact. IT and cyber leaders understand to varying degrees that all it takes is one incident to create irreparable damage and that a holistic threat management system can go far in keeping their organizations safe from harm.”

The IDC White Paper analyzed the concerns of information security leaders in five industries and provided threat-based implications that CISOs and CROs can act upon.

• Financial Services – The evolving threat landscape and rise in the frequency and sophistication of attacks has demanded a holistic response from the financial services industry. Its leaders are well known for making advanced, predictive threat intelligence solutions a priority. Looking ahead, the industry must take advantage of services that better analyze threats on the unstructured and structured components of “big data,” and most institutions will lack the capabilities to perform this work effectively in-house.
• Federal Government – Although agencies are hiring Chief Security Officers, much of the responsibility is still falling to the CIO. Today’s federal IT security managers must address how to deliver security across legacy systems as well as cloud-based and mobile applications, and are searching for security that encompasses the “new” and the “old.” Lurking APTs are prompting many managers to use network monitoring tools, consistency checks and access control management. Agencies remain cautious about exploring security service partnerships, preferring to retain security personnel and risk management in-house, but this raises questions about compliance with internal and government-wide security policies.
• Oil and Gas –The introduction of data-intensive processes, such as the digital oil field, paired with high-profile attacks on energy companies has led many oil and gas companies to make the protection of data and corporate IT assets a top priority. In the very near future, the protection of industrial control systems – the source of many critical oil and gas assets – will become a key area of investment for most oil and gas companies.
• Supply Chain/Manufacturing – The increasingly distributed nature of the manufacturing supply chain is putting it at a greater risk for data security treats. Providers and manufacturers must strike the right balance between a desire for transparency and the need to ensure that this openness does not make them an easy target for cyber attacks. The landscape is changing and automation is on the rise; this brings greater risk to industrial control systems.
• Pharmaceuticals/Life Sciences – Companies are working through a challenging period of industry disruption, battling regulatory changes and the pressure to continue reducing costs. On top of that, companies must now reinforce their commitment to patient privacy by focusing much more attention on preventing the damage APTs can bring. The vulnerabilities created by the widespread adoption of mobile devices are one area of particular concern, and with most life sciences software moving to the cloud, the industry has increased its exposure. As companies spend billions into the R&D for new drugs, security surrounding that information is critical because a stolen IP can cost a company billions more and affect the company’s future viability. Given these concerns, one key capability is assuring the ability to secure and remotely erase all data on these devices.

As threats continue to evolve and attackers exploit organizations’ weakest links, the IDC White Paper concludes that CISOs and CROs can better manage their organization’s security demands by engaging with a security partner. Through its interviews with security executives, IDC collected input on the skill set a provider should have:

• An understanding of the business needs by industry
• A comprehensive security services portfolio that ranges from consulting and implementation to managed security services offerings
• Threat intelligence that creates actionable data that feeds into a managed service
• A broad array of security products and partnerships with vendors
• Solid customer testimonials within the buyer's industry
• A strong balance sheet and strong growth trajectory

Booz Allen’s Christopher Ling added, “CISOs and CROs across all industries have many challenges ahead. Perhaps one of the most critical is translating cyber risk management in terms that the C-suite will value. This report will help leaders address this issue and others, such as whether it is in their organization’s best interests to either manage all components of cyber risk defense or collaborate with a provider who brings broad expertise.”

At the 2014 RSA Conference, Booz Allen Hamilton’s vice chair, Mike McConnell, and Christopher Ling will speak with CISOs about the challenges they face engaging with the C-suite and moving from a perimeter defense to a holistic cyber program.

BAHPR-CO