Executives at Booz Allen Hamilton learned the importance of information security the hard way back in 2011 when the hacker group Anonymous claimed that it had penetrated one of Booz Allen’s servers and had deleted 4GB of source code and released a list of more than 90,000 military email addresses and encrypted passwords.
The breached server turned out to be a development environment containing test data, “but that didn’t really matter; it was a wakeup call,” says Michael Waters, director of information security at the consulting firm and government contractor. “It was a pretty unpleasant experience, but it did galvanize substantial investment — both capital and HR — in getting things done. The firm looked around and said, ‘We have been working on this, but we need to put more toward it.’”
Over the next year, Waters’ information security staff grew from 12 to 70 employees, budgets increased, and processes and governance improved significantly. But a security plan is never “finished,” and in 2013 Booz Allen received a second jolt — this time in the form of an insider threat — when recent hire Edward Snowden, working under contract to the NSA, leaked highly classified documents describing government surveillance programs.
Booz Allen promptly fired Snowden and further honed its infosec program — a practice that continues to this day, says Waters. “We constantly update our information security procedures, no matter what the circumstances, and we also are continuing to strengthen our ethics and compliance program every year,” he says.
Today, Waters would put his infosec program on par with those of the world’s biggest enterprises, but he would have preferred to get there without those pivotal events.
CIO / Computerworld / CSO
Many companies today hope to avoid similar high-profile wakeup calls. After years of news about disastrous breaches, information security has finally gotten the attention of upper management. Two-thirds of 287 U.S. respondents to a survey conducted by CSO, CIO and Computerworld said that senior business executives at their organizations are focusing more attention on infosec than they were in the past. And most of the respondents said they expect that focus to continue. Yet IT leaders still face challenges when it comes to aligning security goals with the needs of business, including justifying costs, defining risks, and clarifying roles and responsibilities.
Half of the survey respondents said security-related efforts account for less than 10 percent of their IT budgets, and nearly three-quarters said security efforts account for less than 25 percent of IT’s time. And while half of those polled said they’d grade their organization’s security practices as an A or B, an equal portion would choose C, D or F.
Sign up for CIO Asia eNewsletters.