CIOs Need to Be Held Accountable for Security




Event Summary

While law enforcement agencies chase their tails in an international hacker hunt, hosting providers and eCommerce CIOs have surprisingly escaped the wrath of accountability. Stockholders of Internet companies should be asking who inside their investment holding is responsible and is being held accountable for security. If no one is held accountable, you can be assured that security will continue to be a low priority.

All too often in Internet companies, security is an afterthought. The executive management team chooses not to take enough measures to protect its customers and systems until after a security incident of considerable magnitude has taken place. This consistent pattern of locking the barn door after the horse has been stolen has been going on in Internet companies for years. In fact, it is incredible that many large-scale corporations have experienced significant security violations and have managed to keep these violations from reaching the front page of the Wall Street Journal.

Some hosting providers knowingly expose customers on insecure backend networks simply because internally security is not given a high-enough priority. Typically, getting new customers up and running has a lot higher priority than securing old customers. When it comes to provisioning new customers, hosting providers often become neglectful after the honeymoon period is over.

If an Internet company is outsourcing its web hosting to a service provider, a member of the executive management team needs to be held responsible for making sure its service provider has taken due security precautions. If your service provider claims your site is secure, they should not have any qualms about their customers performing audits on them.

Market Impact

For publicly traded companies, when a site goes down due to a security attack, this affects the bottom line.

Fig. 1 Amazon.com Share Valuation Drops after Site Outage due to Security Attack.

Amazon.com has seen steady declines in the valuation of its stock since its site suffered a pro-longed outage due to a Distributed Denial of Service Attack on February 9th. According to the Yankee Group, eBay, Buy.com, E*Trade, and Amazon cumulatively suffered losses in excess of $1 billion in the second week in February when they were hit with what is known as a Distributed Denial of Service attack.

Fig. 2 Ebay.Com Share Valuation Drops after Site Outage due to Security Attack.

Attorney General, Janet Reno, testifying before a Senate panel, called the challenge of averting cyber-crime "one of the most critical issues that law enforcement has ever faced," the Associated Press reported. Among security professionals, time spent chasing hackers has long been regarded as something that typically never proves worthwhile.

User Recommendations

  • Organizations which are participating in online eCommerce need to hold someone responsible for the security of their site -- in most cases, this should be the CIO.

  • Shareholders need to hold businesses responsible for their website security.

  • Directors of public corporations should insist that the CEO of their corporation hold someone accountable for the security of their networks, website, and infrastructure.

  • CIOs should ensure that their eCommerce sites undergo an independent Security Vulnerability Assessment at least once a quarter.

  • Only purchase a Security Vulnerability Assessment that has a module that can assess susceptibility to Denial of Service attacks as well as other common exploits, such as those reported to the SecurityFocus Bugtraq mailing list.

  • There are various products on the market that can protect websites from Denial of Service attacks known as Synfloods. CIOs should ask their hosting providers what they are doing to protect their customers from Synfloods.

 
comments powered by Disqus