It seems that every week we read about another cyber incident or data breach on the front pages of online or print news publications. While breaches of banks and retailers are now routinely part of that news, so are more worrisome threats.
Consider the latest acknowledgement from the Department of Homeland Security that Trojan software has successfully penetrated the critical infrastructure of the U.S., dating back to 2011. This is just another indicator of the scale and scope of the constant cyber threat the entire nation is under — and the fact that while business remains the lead target, hackers are actively penetrating the core of American enterprises.
What’s not getting a lot of attention is how top management at organizations continue to treat these incidents as an IT problem rather than a strategic challenge that, among other things, requires the kind of project management resources that routinely go into critical investments.
Businesses are starting to get the message, but government agencies need to as well. A Risk Based Security study of 2013 data breaches found that the business sector was the biggest target of cyber attacks, followed by the government, then health care and education.
Let’s consider two incidents in the government sector. The first incident involved hackers who breached the computer networks at the White House. The second breach occurred at the U.S. Nuclear Regulatory Commission.
While no classified documents appear to have been stolen from either of these breaches, the unsettling fact that hackers were able to penetrate systems in these organizations, which demand best-in-class security measures, speaks volumes about the ability of cyber attackers to crack even the most sophisticated defenses and the cyber threat level as a whole.
A better indicator comes from a Government Accountability Office report released in April. The GAO report disclosed security incidents involving personally identifiable information reported by federal agencies had more than doubled over the past five years to 25,566 in 2013.
Information security incidents at federal agencies involving personally identifiable information, Fiscal Years 2009 – 2013. Source: GAO Report April 2014.Many attribute the frequency of cyber incidents and data breaches to the sophistication of the cyber attacks. But what’s less apparent is the cost of the incidents to organizations and the economy as a whole.
The Ponemon Institute’s 2014 “Cost of a Data Breach” study released in May estimated that on a global basis, the mean annualized cost for organizations to respond to cyber attacks averaged $7.6 million per year. The average in the U.S. was a bit less, at $5.9 million. Those figures are for cyber incidents and data breaches involving 100,000 PII records, not the mega breaches that involve tens of millions of records that have received the vast majority of media attention.
All this signals the fact that data breaches are more than a chief information officer or even a chief financial office issue. They have become a management issue that impacts entire organizations and their partners. As a result, more cyber incidents and data breaches, in fact, are not only landing on the desks of CEOs and senior management within breached organizations but also their boards of directors.
It’s obvious all organizations — governmental and private sector — must improve their responses to cyber incidents and data breaches, and begin to treat them as a strategic management imperative not just a forensics and mitigation project.
But think of it another way: How many initiatives have an annual budget of $7.6 million and go without formal management practices being applied?
Multimillion-dollar projects usually call for a dedicated program or project manager. This isn’t an option. And it shouldn’t be an option managing a host of decisions that must be made in responding to cyber incidents.
For years, the usual response to data breaches fell under the purview of the technology department. But those days are clearly over. The costs, complexity and overall consequences of these events have grown to the point where they now demand — or should elicit — the appropriate attention of the senior executives within most organizations.
Experienced professional program and project managers are beginning to be put in place to manage the complexity of these and related initiatives, and hopefully reduce the overall risk.
Given the complexity, scope and potential costs of cyber attacks, PMs will certainly have their hands full; in many ways, their challenges are far greater than for typical projects in part because the span of players that inevitably must respond to a cyber attack. However, their role is essential to keep organizations focused on the right things, getting those things done correctly and making sure they’re addressed in the proper sequence.
Organizations also must begin thinking about creating a cyber incident response team that answers the call to sudden requests to respond to suspected or confirmed cyber incidents and data breaches. Legal, communications, public relations, operations and finance departments and, of course, the IT department have become common participants, all play major roles in the cyber incidents and data breaches that occur today.
While most incidents share some common factors, the truth is, each also has unique characteristics that influence the way the organization responds to and manages these events.
This much you can count on: Sooner or later, your organization will get attacked, it will take time to respond and recover, and it is going to cost a fair amount of money.
Cyber incidents and data breaches are a fact of the modern online, technologically sophisticated and connected world in which we live and work. Failure to enact formal response practices, including project management disciplines in response to these costly events is clearly a material weakness that must be rectified.
As one management consultant put it, it’s not hard to understand how a $7.6 million project mysteriously becomes a $12 million disaster when proper project management is not applied.
The biggest challenge we all face at this point is the limited number of project managers who have actual experience dealing with the challenges of a cyber incident or data breach. That said, given the frequency of successful attacks, it won’t be long before organizations get the message and the shortage of cyber response project managers begins to correct itself — hopefully sooner than later.
Kevin Coleman is a senior level technology strategist, project and program manager, and cybersecurity adviser with experience leading multimillion-dollar projects across multiple industries. He is the former chief strategist of Internet pioneer Netscape and began his career as a management consultant at Deloitte.
