How a Recent Study Got It Wrong: Lower Budgets not Reducing IT Security

Tom Patterson Image

Tom Patterson, Global Consulting Lead, CSC Global Cybersecurity
Twitter: @TomTalks

The Wall Street Journal recently covered a PWC study that concluded that since security budgets have stopped going up, our corporate security must be going down. While that is certainly one possible outcome, I believe that if you securely harness the technological advances in cloud and mobile that are simultaneously sweeping enterprises around the world, and combine them with the latest tools and techniques in cybersecurity, it is possible to match our growing threats step for step, even in these fiscally restrained times.

I do agree with the survey respondents that everyone should still start with a modern risk analysis, which will give them a clear picture of what their threats are, where they are coming from, how they are getting in, and what they are getting out. This process is ideal for providing the enterprise leadership (CEO, CFO, CIO, Board) with the knowledge they need to make their risk decisions —  i.e., what to defend, and how much to spend. But unlike in the old days (last year!), it’s now possible to get a lot more cybersecurity without a lot more cybersecurity budget.

I can think of three ways of providing more “cyberconfidence” without breaking the bank:

CLOUD: It’s big, it’s fluffy, it’s elastic, and it’s already in your enterprise. You may not call it that, but enterprises have either already allowed some sort of cloud, or their employees have just brought their own from home. The worst thing an enterprise can do in this era of free and portable cloud services is to ignore them or deny they exist. That will only serve to increase employee work-arounds and increase the risk of huge chunks of your property flying out a door that you can’t even find, let alone lock. But if you plan accordingly, you can set up a very useful cloud program that encourages secure use of these highly efficient storage and computing services, all the while improving your risk posture without a big hit to the security budget — and it’s paid for by real savings that clouds bring to datacenters, real estate, M&A, and more.

MOBILE: It’s everywhere and it’s taking over your enterprise. Employee-owned mobile device programs, called Bring Your Own Device or BYOD, are being dictated by a strong- willed staff that would sooner lose their corporate laptop than their personal mobile phone or tablet. Enterprises that try to disallow BYOD on their networks are being worked around faster than they can spend money to try to keep these devices out. The better move is to design a secure way that employees can use their own equipment to do their work, without increasing your risk. This is possible now if you design security in from the get go, instead of expecting employees to bolt it on. Offering your own app store for approved apps; offering secure social media for corporate use; and providing a safe sandbox for employees to use all their unapproved apps without permanent damage to your enterprise, are fast becoming the new norm. The suite of mobile countermeasures that is now available for most brands of devices would rival many corporate security offices, and like cloud, this is all paid for out of the real cost avoidance of no longer buying phones (and in some cases laptops) for every employee.

MANAGED SECURITY SERVICES (MSS):  Just plug in! You don’t generate your own electricity anymore, you just plug in because it’s cheaper and more effective than having a coal-burning steam generator in the cube next to you. Much of security has now gone the way of electricity, where it’s not only easier to simply plug into the services you want, it’s also a lot less expensive (short and long term) and a lot more effective than trying to do it yourself. It’s easier because all you do is select which services you need, allowing you to get back to your core business, and leave the hiring, training, building, operating, evolving, monitoring, alerting, etc., to pure security professionals that live for this stuff. It’s cheaper because the security infrastructure is built once, and shared across thousands of customers, and you only pay for what you use. And it’s more effective because you get the customized benefits of massively parallel global Security Operation Centers (SOCs), and the most highly trained professionals that have access to real-time threat data and state-of-the-art analysis labs that can solve once, and share solutions with everyone. DIY security is so yesterday.

Cloud, Mobile, and MSS are just the tip of the iceberg. Don’t be discouraged by surveys such as these, but rather use them as an opportunity to be your enterprise hero, by pointing out that in 2012, cybersecurity is no longer a zero-sum game.

Posted in As A Service, Cloud Computing, Cyber Security, Cybersecurity, Data Centers, Government, News | Tagged , , , , , , , , , , , | Leave a comment

More than a Crime

Sam Visner, president, CSC Global Cybersecurity

At a recent session presented by the American Enterprise Institute, NSA Director and Commander of the US Cyber Command General Keith Alexander called cybercrime “the greatest transfer of wealth in history.”

Is this true?

Numbers relating to cybercrime — and to cybersecurity in particular — are notoriously suspect. My experiences as a cybersecurity professional have brought me into contact with numbers relating to the value of economic cybercrime that vary as much as almost an order of magnitude. Numbers relating to the value of intellectual property may be even harder to pin down; General Alexander notes that “Symantec placed the cost of IP theft to the United States companies around $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation.”

Whether we accept these numbers to be accurate or not, they’re probably directionally useful, and they may even understate the problem.

Here’s why:

  • Geopolitics. First, the theft of intellectual property is more than a crime. Thinking about a 2011 report of the U.S. National Counterintelligence Executive, we realize that the theft of intellectual property from U.S. firms conforms to the policies, doctrine, plans, operational concepts and capabilities of foreign state actors, or, in other words, the governments of other countries. This theft represents their belief that taking this intellectual property shifts the geostrategic balance of power toward those who possess it, and away from those who lose it. These countries are attempting to shift the global balance in their favor, and they see the economic, scientific and technological content of the intellectual property they steal to be at least as valuable as traditional measures of military power. Indeed, it may become more valuable and more important in the future.
  • Existential Threats. Second, the companies that lose their vital intellectual property, developed sometimes at great expense and representing irreplaceable investments in R&D, may lose everything. They may lose time-to-market, market share, reputation and even their own market relevance, particularly if their intellectual property is exploited by a foreign competitor equipped with the backing of a foreign government and possibly unbound by the need to protect a product’s reputation for quality. Such theft of intellectual property can force a company out of business. With enough theft of intellectual property, an entire economic or industrial sector can be savaged and possibly destroyed. It’s more than a crime; it can be an existential threat to a company or to an industry.
  • Critical Infrastructures. Finally, the threat to our cybersecurity extends to our critical infrastructures, regulated by the government to reflect the public’s interest, but owned and operated primarily by the private sector. Again, our nation’s security — and our geo-strategic interests — are affected by what happens in cyberspace where both the public and private sector operate.

This view may be alarmist to some extent, and it’s generally useful to take the long view in analyzing historical trends. General Alexander is correct, however, in pointing out that speed in cyberspace makes for a difficult long-term analysis of events. Our adversaries are not awaiting the passage of legislation to develop their policies, elaborate their doctrine, refine their tradecraft and build the capabilities they need to meet their objectives. While we need to build strategies that are well considered, there is frequently a need to act quickly to deter threats. When it comes to today’s cybersecurity challenges, we may not have the luxury of time we often afford ourselves.

Posted in Cyber Security, Cybersecurity, Government, News | Tagged , , , , , , , | Leave a comment

SCOTUS Ruling on ACA Forces Healthcare’s Hand on Exchanges

Image

Jordan Battani
Managing Director, CSC Global Institute for Emerging Healthcare Practices

After three months of deliberations, the Supreme Court, in what appears to be a carefully orchestrated alignment of divergent views and interpretations, delivered a decision that upholds the constitutionality of the requirement for individuals to obtain health insurance coverage (or pay a penalty “tax”), and of  the expansion of the Medicaid program.

The ruling limits the ability of the federal government to withhold Medicaid funds from states that decline to participate in that expansion, holding that the federal government may properly withhold Medicaid funding for expansion of coverage from states that decline to participate in the expansion, but it cannot withhold funding for Medicaid programs that the state does agree to participate in.

If anyone in the industry still needed convincing that it’s time to get moving on healthcare reform, the Supreme Court ruling on June 28, 2012 has delivered the message.   When the Patient Protection and Affordable Care Act (PPACA) was passed in 2010 the implementation deadlines were aggressive.  Now, more than two years later, they are even more challenging.

There’s no shortage of work to be done to be ready for the major health insurance business reform implementation milestones that are looming in 2014, and almost all of it requires heavy-lifting technology to make it successful. Health insurance exchanges (HIX) that will facilitate eligibility verification and enrollment in subsidized health coverage programs, and act as online marketplaces for individuals and small employers to compare, shop and purchase coverage, must be designed, built, tested and deployed in every state – either by the state itself, or with the assistance of the federal HIX solution.

A parallel effort is taking shape in the private sector as well – as commercial and non-profit health plans and payers create new products and build processes and information technology systems to take advantage of the opportunity that the HIX offers as a sales channel for reaching individual and small group coverage customers.

The hospital and physician sectors will have their work cut out for them as well, as Medicare payment reforms like value-based purchasing and the MSSP Accountable Care Organizations come on line. For organizations already struggling with the mandates to demonstrate “meaningful use” of electronic health records and implement ICD-10 coding systems, these are formidable additional challenges.

Careful planning and flawless execution are the keys to success and the time for taking a “wait and see” position has passed.

Posted in Government, Health IT, IT Services, News, Organizing IT for the Future | Tagged , , , , , , , , , , | 1 Comment

The Real Reasons Why Cyber Is Now Front-Page News

Sam Visner, Cyber Lead Executive at CSC and Adjunct Professor at Georgetown University

A front-page article on cybersecurity by Ellen Nakashima, published in the March 18, 2012, edition of The Washington Post, is important in several ways. 

First, the article discusses the use of cyber as a weapon system, i.e., as a component of our nation’s integrated approach to battlefield operations. The article takes readers through some of the issues, opportunities, and challenges that lie before us as cyber assumes a more prominent role in U.S. military thinking. In doing so, it reflects the fact that information technology remains an area of competitive advantage for our country, both in terms of the technology itself as well as in the creative ways technology can be used to effectively confront threats.

At a more abstract, but perhaps more important, level, however, the article conveys an additional message — that cyber is an instrument of state power. For those new to the cybersecurity domain, the article provides useful food for thought about the potential vulnerabilities of financial systems, battlefield systems, and even embedded systems used in manufacturing. Overall, what we’re seeing is the emergence of national thinking about our cyber interests, the development of policy and doctrine to support those interests, and the elaboration of operational concepts and capabilities that support our policies, and are consistent with doctrine.

And this trend takes us to the third, and most vital, point: that cyber is an issue that unites the private and public sectors across often-shared concerns and interests. Certainly, foreign governments employing cyber for their own purposes, against commercial and public-sector enterprises, do so in the service of policies that span the widest range of targets.

The United States cannot be the only state to view cyber as an instrument of state power. Indeed, the Washington Post article can be read in conjunction with the 2011 report of the National Counterintelligence Executive (NCIX) that describes the economic espionage undertaken by foreign governments to steal intellectual capital from U.S. companies. In other words, commercial organizations are being targeted by foreign governments that are using the information they glean to support their own nations’ economic interests, as well as their own geo-strategic interests. What this means, of course, is that we are not alone in developing a concept of our national interest in cyber, or in developing policy, doctrine, operational concepts, and resources to support those interests.

Taken together, the Washington Post article and the NCIX report tell us that our cybersecurity line of business is more than an “adjunct” to commercial information technology, and more than an “add-on” to our national security strategy. Cyber is becoming a pillar of both. Some see new information technologies as ways of gaining cost and operational efficiencies, while others look to these technologies to enable new value propositions and business models (for industry) and new ways of delivering services to our citizens (for government) and of conducting battlefield operations. We should view cyber in this manner: good cybersecurity can enable new business models; effective use of cyber can represent a new pillar of our national security strategy. That cyber is now “front-page news” tells us how important it has become. This is just the beginning.

Posted in Cyber Security, Cybersecurity, Government, News, Privacy | Tagged , , , , , , , , | Leave a comment

NASSCOM India Leadership Forum 2012

Brian Manning, President, CSC in India

It’s a milestone year for this, the 20th NASSCOM India Leadership Forum (NILF), and as I arrived at the Hotel Grand Hyatt in Mumbai to attend the annual showcase, the first impression that I got was that the event is not just about India anymore. I saw delegates who had come from all over the globe. The event has more than 120 speakers, and more than 2,000 delegates. The 2012 edition has hyper specialization as the core theme, and I am taking this opportunity to share what I see, hear and learn over the next few days about the trends in the industry that are sure to emerge at this great event.

Day 1 started with inauguration and Social Innovation Honors Awards, where Kapil Sibal, India’s Minister of Communications & IT, and NASSCOM executives Rajendra S. Pawar, (chairman), N Chandrasekaran, NASSCOM (vice chairman) and Som Mittal (president) were the key guests.

The session started with Som Mittal’s enlightening presentation where he disclosed that for FY 2013, export revenues from the IT and ITES sectors are expected to grow between 11 to 14 percent in U.S. dollar terms, whereas the domestic market is expected to grow by 13 to 16 percent. I also believe this to be the case. Another point he made was that direct employment in the IT sector is expected to grow by more than nine percent to reach 2.8 million jobs, with more than 230,000 of those jobs being added in FY 2012. Kapil Sibal started his speech agreeing to the point that IT sector plays a very important role in all sectors’ growth in India. I completely agree with him. I see no industry today that is not utilizing the power of IT.

There were a few more sessions that spoke about tapping the U.S. healthcare outsourcing market and the era of hyper specialization, which focused heavily on what technologies will come into play in these areas and how new opportunities are there for the taking. Sounds interesting and I am excited to learn more about these topics and contribute to the discussion throughout the event!

It was also interesting to hear about the story of technology and innovation — on and off the pitch — from a former cricketer, Sir Richard Hadlee. This shows that even athletes now remain in touch with technology. What else can I ask for!

NASSCOM has done a fantastic job organizing this event at the global level, and the management was simply great. Hats off to Som Mittal’s team. Day 1 is over and I am very much looking forward to networking with several new acquaintances over dinner. I’ll keep you posted with the latest updates.

‘Til then, have a good night from Mumbai!

Posted in Jobs, News | Tagged , , , | Leave a comment

Is IT Making Unemployment Worse? The Debate Has Begun

David Moschella, Global Research Director, CSC Leading Edge Forum

In America, the combination of high unemployment and the start of the presidential election process has sparked a great deal of debate about how jobs are created, and lost. Nothing new there. Similar academic and populist debates have been part of every modern recession, as society seeks both strategies – legislation, fiscal and monetary policies – and scapegoats – corporations, machines, trade, foreigners, etc.

What’s different today is that information technology is now at the center of the discussion. Over the decades, we have grown used to thinking of IT as an engine of economic growth. But in the current marketplace of ideas, IT’s ability to eliminate jobs is getting a lot more attention than its capacity to create them. Whether this shift in attitude is warranted or not, it’s a potentially huge change in the way our industry is perceived. Moreover, unless the national unemployment picture improves considerably, concern over IT’s effect on jobs will likely increase sharply in 2012 and beyond.

President Obama moved the issue into the mainstream media in June 2011 when he remarked: “There are some structural issues with our economy where a lot of businesses have learned to become much more efficient with a lot fewer workers. You see it when you go to a bank and use an ATM, you don’t go to a bank teller, or you go to the airport and you’re using a kiosk instead of checking in at the gate.” Never mind that ATMs have been around for decades (or that airport kiosks are used at check-in, not the gate), the President of the United States essentially said that technological progress is eliminating jobs, resulting in “some” level of structural unemployment, a potent phrase in economic circles.

Posted in Innovation, News | Tagged , , , | 2 Comments

All I want for IT in 2012 (Predictions for IT in 2012 by CSC)

Lem Lasher, Chief Innovation Officer, CSC

Lem Lasher, Chief Innovation Officer, CSC

On cloud! On data! On cyber! On mobile!

On tablets! On social networks…okay, you get the point.

It’s December, and for those of us in IT, ’tis the season for predicting what trends will be dashing through enterprises in 2012.

IDC and Gartner recently said “it’s beginning to look a lot like” a cloud and big data dominated 2012.

Here are some of the ways I see IT “decking the halls” of businesses next year:

Emergence of Advertising Inside Cloud Enterprises. Most of the consumer cloud — from Facebook to Gmail — is paid for by advertising. Companies will deploy the consumer model inside the enterprise, providing IT at subsidized rates or for free as companies look to reduce their IT costs.

Enterprise Data Walls Come Crashing Down. Companies have lots of firewalled data on customer spending, purchases, satisfaction and so forth but lack a predictive picture of what clients will buy more of or less of in the future. The walls between the data will come down now and companies will understand the message contained within currently discrete data.

Threats to Slow IT Investment. Increasing fear among businesses and individuals of hacking threats will cause a reduction in the gross amount of spending on and adoption of IT. Corporate funding will be diverted to expanding physical security protections, IT security measures and employee education.

War for Data Leads to Proprietary Systems. Technology companies know the gold is in owning the customers’ data and digital technology development will swing from open systems to proprietary systems.

IT Will Operate Like a Business within a Business. While historically IT has operated as a service center to the rest of the organization, businesses will demand that IT function like a business within a business. Because of the pervasiveness of IT, it will grow regardless of the economy, increasing its share of corporate costs. This will lead to a drive for efficiency and expedite the shift of IT to India.

Do you see what I see? Despite some potential for IT staffs receiving buckets of coal for budgets over the next year, IT’s development in the near term will be jolly, especially when you consider that the number of “toys” connected to the Internet will surely continue to dramatically increase in the coming weeks and months (another prediction for being such a good audience).

In all seriousness—there is positive acceleration in the multitude of ways global enterprises are deriving value from technology. Come 2013 it will be interesting to see how many of these, if any, have become reality and what global trends are influencing the next wave of IT evolution.

Have yourself a merry little 2012!

Posted in As A Service, Cloud Computing, Cyber Security, Cybersecurity, Innovation, IT Services, The Consumerization of IT | Tagged , , , , | Leave a comment

People vs. Diaz Fails to Consider Enterprise Data on Mobile Devices

Mark Rasch, Director of Cybersecurity and Privacy Consulting, CSC

On October 10, California Governor Jerry Brown vetoed a proposed law, SB 914, which would have required the police to obtain a warrant to search the cell phones, laptops or tablet computers of individuals who are arrested or detained by the police and thereby reversed a California Supreme Court decision in People v. Diaz 51 Cal. 4th 84; 244 P.3d 501; 119 Cal. Rptr. 3d 105; 2011; Cal. LEXIS 1 (Cal. Sup. Ct., Jan. 3, 2011).  Under the Diaz decision, the court ruled that the police interests in both protecting themselves from physical harm and preventing the destruction of evidence entitles them to seize and then search the entire contents of any device found on or near the person of a detainee. But what happens when these personal devices have corporate information on them?

Enterprise mobility and the idea of bringing your own device (BYOD) to work are on the rise within enterprises today. Couple this with the advent of new cloud technologies adopted specifically for portable mobile devices, and you have a situation where, ultimately, police may search more than your purse or pockets on a routine traffic stop. They may search — without a warrant — the contents of all of your employees computers at home and in the office, and everywhere on the Internet that your mobile device has stored data — including what is stored on an enterprise cloud.

The rationale behind the searches is what is called a “search incident to a lawful arrest.”  When police detain someone, they are entitled to search both that person and items near that person for self-protection (look for weapons) or to prevent the destruction of evidence (gambling records on “flash” paper).  What the court failed to consider in the Diaz case is the nature of a modern cell phone and other electronic devices, from iPhones and iPads to thumb drives, laptops, and “cloud devices.” Unlike something similar to an alphanumeric pager, modern devices that people keep on their person reveal a tremendous amount about their owners and often it is highly likely that it will reveal a lot about the organization that they work for — all of which could be evidentiary in nature — for good and for bad. Moreover, cloud-enabled or enterprise devices may simply act as portals to even greater volumes of information, and may store passwords to enterprise services that may be located in a remote location.

Now we do not suggest that police should be denied access to this treasure trove.  Rather, they should not be permitted access to it automatically by virtue of the fact that someone had the device with them at the time they were detained.  A warrant, probable cause, or some showing of an immediate need to search without such a warrant should be required.

This is particularly true when you consider the fact that, as The Washington Post recently reported, there are more than 150 minor offenses for which police can and are instructed to arrest you for in just Washington D.C. If your car has expired tags you can be arrested; and your cell phone, laptop, iPad or other things can be seized and searched. Other “arrestable” offenses include things like not having your dog on a leash and climbing a street light. In many states, the police may simply approach anyone, ask them to produce identification documents, their full true name, address, date of birth, and where they are going and what they are doing; and if they fail to adequately provide this information they can be arrested and then searched. In 1996, the U.S. Supreme Court held that a person can be detained even if the detention was a “pretext” to conduct an otherwise unlawful search (arresting people in D.C. for not using a turn signal because they wanted to search the car), and in 2001 the U.S. Supreme Court held that a mother could be arrested (and her car searched) for not wearing a seat belt – an offense which carried only a minor fine. The message here then is that if the police WANT to search your phone, laptop, iPad or cloud device, they can probably find an excuse.

It is difficult to see how an iPhone could be confused for a weapon, and certainly the police would be entitled to examine the device under the “search incident” rational to ensure that it is, in fact, just a phone.  As the dissenting Judge pointed out in Diaz, “there is apparently no app that will turn an iPhone or any other mobile phone into an effective weapon for use against an arresting officer.” Modern cell phones contain too much information to be the subject of routine warrantless searches, especially when the justification is that they might be a weapon. On a personal level it is obvious what these devices contain — contacts, photos, text messages, etc — but as a mobile extension of an employee’s office they can reveal product roadmaps, sensitive corporate materials, and large quantities of proprietary and confidential information.

But this is only the tip of the iceberg.  As storage capacity of mobile devices increases, they are capable of holding every document, note, video and communication of an employee. If company data is on or accessible on a device held by someone who is detained, all that data can be examined by the cops. There appears to be no limit to the scope of the “examination” conducted by the police; having lawfully seized the device, there is no reason that they could not “mirror” or image the device and its contents, and then share the contents of that device with anyone they choose.

More distressing is what happens as storage and processing are moved from the mobile device to the cloud. The smart-phone will become a portal to cloud computing, cloud processing, and cloud analysis. The device will store a userID and password that will connect automatically and seamlessly to a server in a remote location, which can contain virtually everything. Under the “search incident to the lawful arrest” doctrine, law enforcement officials may assert a right not only to search the device without a warrant or cause, but to search everything on the cloud accessible by the device. Indeed, they may not be able to make such a distinction. The arrestee’s “grabbable reach” extends from his or her pockets into the cloud.

Courts need to understand that computers are not mere storage devices.  Just because I can search your briefcase at the airport does not imply that I should be permitted to mirror the contents of your hard drive, or log into your cloud server. The volume and nature of the device reveal things that need to be protected from prying eyes. Certainly there can be evidence of crimes — even serious crimes — on such devices and in that case, the best course of action is for the police to obtain a proper warrant to search them. But the need to prevent guns, knives and bombs from being used simply does not apply to bits and bytes.

Posted in Business/IT Co-evolution, Cyber Security, Cybersecurity, Privacy | Tagged , , | Leave a comment

Understanding the Value of Corporate Responsibility

Susan Pullin, Vice President of Corporate Responsibility

“Corporate Social Responsibility isn’t about giving money away and adopting the latest cause of activists. CSR and sustainability are approaches to business operation and execution that build employee engagement, improve environmental performance, create positive social impact, enable operational efficiency, reduce cost, foster innovation, strengthen relationships with customers and consumers and ultimately . . . create business advantage.”

—David Stangis, VP of CR for Campbell’s Soup; from, Thriving on the Value of Vice: Stop Making Too Much of CSR by Aman Singh

There are many opinions about the real value to a company of corporate responsibility (CR). Aman Singh recently wrote for Forbes about these contrary opinions and posed the question: “Are we fighting over semantics or strategy?” She went on to consider how stakeholders often view CR. Is it perceived as something that is disconnected from markets, profits and capitalism itself? Is it typically misinterpreted as a cost, with some seeing CR as little more than “giving away money and adopting the latest cause of activists”?

As we look at this debate, one point is clear:  if CR is perceived anything but a contributor to top-line growth, then stakeholder opinions will be negative and the value of CR is misunderstood.

So what is the business case for CR? The evidence indicates that companies that invest in their communities tend to have a better focus on long-term growth and consequently they do better in the marketplace.  Although the CR vs. capitalism debate continues to rage, fueled by University of Michigan Professor Aneel Karnani’s controversial editorial in the Wall Street Journal, “The Case Against Corporate Social Responsibility” — investment firms appear to think otherwise. Bloomberg has created its own sustainability group with the remit of investigating a company’s sustainability prior to advising investors on their business viability.  They are measuring the sustainability of a company as another indicator for the quality and effectiveness of the management execution.  Along similar lines, Singh quotes Paul Herman, CEO of HIP Investor as saying, “Research from Wharton has shown measurably that companies that help solve social and environmental problems enjoy a higher shareholder and portfolio value.”

Surely, if you are investing in your community, you are creating relationships and building trust. We know that organizations prefer to do business with people they know and trust. If you demonstrate you care about the management of your resources and your effect on the environment, then you are being a good steward. Your client could extrapolate that this company would then also be a good steward of the business they put into your trust.  And if you care about your workers’ health and safety and are interested enough to invest in their training and development, you demonstrate your commitment to nurturing and retaining talented employees, another indication of business savvy.  All of these attributes have the potential to lead to business growth built on so strong a foundation.  I believe the business case for CR is that by being corporately responsible we are stimulating the environment for business growth.

In this respect, communicating to the marketplace is essential, and publishing an annual CR report provides us the right forum to tell the CR stories behind our global enterprise. In an environment where investors and clients are evaluating a much broader array of data before they decide where to spend their money, it makes good business sense to be as transparent as possible.   It is one thing to say we have a focus on sustainability, because it is the right thing to do.   But we are also convinced it is the right thing to do to grow our business.

Here is a link to our new 2011 CR Report, The Human Imprint. Please take the opportunity to read it and learn more about CSC. We are a company full of passionate people who bring our values to work each day, wherever we are in the world. In the report, we tell many of our stories about the undeniable links that bind our CR commitments and our business performance together and this contributes to our top-line growth.

Posted in Business Sustainability, Corporate Responsibility, Corporate Social Responsibility | Tagged | 1 Comment

For Better or Worse, Global Banking Will Encounter Global Cyber Threats

Sam Visner, Cyber Lead Executive at CSC and Adjunct Professor at Georgetown University

The Washington Post report on the suspected North Korean cyberattack is troubling in a number of ways. If true, the attack signals that commercial institutions are – as many have suspected – the targets of weapons-grade, state-sponsored cyberattacks and exploits. Such attacks and exploits mean that commercial institutions need to consider, and probably to employ, the same level of cybersecurity protection and the same level of sophistication in their defense as is becoming the norm in the national security community. In the past, financial institutions had considered cyberattacks as a “cost of doing business” and had mitigated the effects of these attacks on an “actuarial” basis, i.e., building a financial position that took into account the losses these attacks represent. Such an approach is less viable every day. More sophisticated attacks and exploits can do more than draw funds from a bank; it can hinder its very operations; it can jeopardize the interests of numerous customers, and it can compromise a bank’s intellectual property and competitive position. In can even destabilize a financial institution, assuming sufficiently clever and malicious manipulation of a bank’s data. The story from the Washington Post points to South Korea’s Internet connectivity as a characteristic of that country’s financial industry. In the future, this level of connectivity will be the global norm, and banks will have to find more ways to use global connectivity to their advantage, and to the advantage of their customers. Banking products and services will depend on global connectivity. Indeed, mobile banking will require this connectivity at a level that significantly surpasses today’s online banking activity. As a result, banks throughout the world will face the same situation as those in South Korea. The risks and threats of an online environment will be unavoidable.

Though not necessarily good news, this kind of report is useful in that it can help catalyze disciplined thinking and effective action to safeguard our financial institutions. Banks can build information architectures that are more intrinsically secure. Banks can “bake in” designs that impose stronger rules for data exiting their systems. They can move beyond an actuarial approach to hardening their systems, and to investing in tools to find anomalous system behavior. Indeed, there will be little choice but to engage in these approaches. Banks can and should work with government authorities to understand cyber threats, both in terms of the activities of criminal organizations and in terms of the technologies they must master on behalf of their customers and themselves. Banks and government authorities must work together to improve the level and quality of information available about global cyber criminal activity. Indeed, overcoming, this “data crisis” in which cyber threats are both under-played and over-hyped, is an urgent priority.

For better or worse, global banking will encounter global cyber threats. Overcoming and managing these threats is an unavoidable responsibility. The best institutions will accept these responsibilities and turn that acceptance into a competitive advantage.

Posted in Cyber Security, Cybersecurity, Government, News | Tagged , , , | Leave a comment