Thursday, August 26, 2010

CIOs Need to Be Held Accountable for Security

While law enforcement agencies chase their tails in an international hacker hunt, hosting providers and eCommerce CIOs have surprisingly escaped the wrath of accountability. Stockholders of Internet companies should be asking who inside their investment holding is responsible and is being held accountable for security. If no one is held accountable, you can be assured that security will continue to be a low priority.

All too often in Internet companies, security is an afterthought. The executive management team chooses not to take enough measures to protect its customers and systems until after a security incident of considerable magnitude has taken place. This consistent pattern of locking the barn door after the horse has been stolen has been going on in Internet companies for years. In fact, it is incredible that many large-scale corporations have experienced significant security violations and have managed to keep these violations from reaching the front page of the Wall Street Journal.

Some hosting providers knowingly expose customers on insecure backend networks simply because internally security is not given a high-enough priority. Typically, getting new customers up and running has a lot higher priority than securing old customers. When it comes to provisioning new customers, hosting providers often become neglectful after the honeymoon period is over.

If an Internet company is outsourcing its web hosting to a service provider, a member of the executive management team needs to be held responsible for making sure its service provider has taken due security precautions. If your service provider claims your site is secure, they should not have any qualms about their customers performing audits on them.

For publicly traded companies, when a site goes down due to a security attack, this affects the bottom line.

Fig. 1 Amazon.com Share Valuation Drops after Site Outage due to Security Attack.

Amazon.com has seen steady declines in the valuation of its stock since its site suffered a pro-longed outage due to a Distributed Denial of Service Attack on February 9th. According to the Yankee Group, eBay, Buy.com, E*Trade, and Amazon cumulatively suffered losses in excess of $1 billion in the second week in February when they were hit with what is known as a Distributed Denial of Service attack.

Attorney General, Janet Reno, testifying before a Senate panel, called the challenge of averting cyber-crime "one of the most critical issues that law enforcement has ever faced," the Associated Press reported. Among security professionals, time spent chasing hackers has long been regarded as something that typically never proves worthwhile.

No comments:

Post a Comment