In 2015, almost every CIO will be tasked with assessing their organizations and technology to ensure data and confidential information is protected.
Target, Home Depot, Staples, who’s next? These are just the most recent retail outlets that made the news. What is not making the headlines are the multitude of private- and public-sector organizations that have been hacked and lost data and information — many times totally unaware until after the fact.
Why is security so important for IT leaders in 2015? Because it cost a LOT of money once you have your network and systems breached!
South Carolina recently lost large and significant quantities of data from its Department of Revenue systems in a massive data breach that involved over 3 million taxpayers. No CIO or IT leader wants to see the headlines such as those extolled in South Carolina news reports: “Director of South Carolina Department of Revenue Resigns, Breach Costs Over $14M.”
In terms of cost, we can start with the loss of a number of job positions and the cost to find and replace those with more expensive personnel. In terms of real and tangible financial cost, the State spent large sums of money (unplanned and not budgeted) with the initial focus on financial credit monitoring and reporting for over 3 million taxpayers. Related costs include:
- $500,000 for a state-commissioned analysis from security firm Mandiant
- $12 million for credit monitoring services from Experian
- $800,000 for improved information security capabilities
- $100,000 for outside legal help
- $150,000 for a related public relations campaign, as well as
- $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach.
These are just the current bills. It does not include additional programs to supplement data and information protection. The real cost will continue from this attack and include the potential future loss of jobs by a number of IT personnel, replacement searches for personnel, learning curve timeframes and loss of productivity from turbulence within IT and departmental organizations across the state, to name a few.
From an IT Organizational (ITO) standpoint, every IT department across the private and public sector will be expected to become expert in Information and Data Security within the year. Outliers author Malcolm Gladwell asserts that it takes 10,000 hours of practice to achieve mastery in a field. That’s almost 5 years of 40-hour weeks. I actually think it takes longer, much longer in the current IT environment. Regardless, those who work smarter will get to mastery faster.
The true implications of Gladwell’s 10,000 hours will shift resources, training, and strategy in a new direction not planned for in prior years simply due to the recent number of breaches in both public and private sector organizations.
Corporations and public sector organizations will expect and yes, demand, their IT organizations to be the protector of its data and information. Organizations that already have experience and expertise in security management maturity (policies, procedures and practice) will certainly be ahead of the wave. Organizations that are ad hoc or have a low level of security management maturity must reach out to and build solid relationships with professional security vendors and consultants to develop effective strategies for improving the protection now expected of IT leaders.
[Editor’s Note: This post is part of the annual “Cutter Predicts …” series.]