Imagine it's the end of 2015 and you're about to read an expose from a fly on the wall at top closed-room board meetings across the enterprise discussing the state of information security. You're excited, right?
Well, why wait? Here's your seat at the table for 2015's most heated board room discussions about information security.
The backdrop: Events to come
Certain characteristic types of painful breaches will drive heated security debates in the board room in 2015. First, there will be high-profile reinfections of organizations infected in 2014; and, there will be first-time high-profile infections of enterprises that significantly increased their information security budgets to avoid what they saw happening to other companies. "Those are two that will create ripple effects and frustration in the board room," says Eric Cole, Senior Fellow, The SANS Institute.
Companies are spending millions of dollars to avoid infection but they're not spending it in the right areas. "If you take any of those big companies that have already been hit, they made these big announcements about spending several million dollars on security to fix the problem. When breaches hit them again next year, that's going to paralyze the organization and the board of directors," says Cole. The same applies to companies spending heavily on security now that see their first massive breach in the new year.
Another gut-wrenching type of breach that will cause boardroom dismay is the theft and display of Intellectual Property (IP) on the Internet. Companies will also publicly discover that hackers have breached them for years and they didn't know it.
"They will suddenly find out that there have been people in their systems for, let's say, a decade and they really hadn't had any secrets in all that time. When that becomes public knowledge, that will create panic in the boardroom," says Ted Demopoulos, certified instructor, The SANS Institute.
The board goes off on the state of information security
In 2015, as a result of these types of events, boards of directors and C-levels will be frustrated because they will have no idea how secure their organization is. "They will be scared but they won't know why because they won't know what questions they should be asking or whether the information they receive is sufficient," says Cole.
"Boards of director will ask, 'how do we know this isn't us already?'," says Demopoulos. How will boards know that someone hasn't already compromised them for years or that someone hasn't already plucked their IP in order to sell it or put it on display for the world to see? And when no one gives them a solid answer, that will be extremely unsettling for the boardroom.