Barbara Bix, security

Security is Big Business in Massachusetts

By Barbara Bix

Barbara Bix helps business leaders uncover,
crystallize, and exploit opportunities to gain the competitive edge.  Twitter:

Despite the pouring rain, the Mass TLC’s conference on The Business of Security: Impacting Your Company’s Resiliency, Reputation, andRevenue attracted a large crowd interested in learning more about the evolving
role of security in business in general–and opportunities this growth will
create in Massachusetts in particular. 
Over the course of the day, participants got the opportunity
to hear from thought leaders, practitioners, CEOs of successful MA security
companies, founders of startups, and investors. 
Perhaps equally exciting, they had the opportunity to discuss shared
concerns with both the experts and their peers. 
I personally walked away with a lot of great information.
Follow the link above to see the agenda, speakers, and
session formats.  Immediately below, I
share key takeaways.
Security has become a
major issue for businesses
In the past, a lot of the conversations around security
happened more among security geeks and technologists.  Today, that conversation is moving into the
executive suite and the boardroom as the quantity and business impact of
security breaks becomes more visible. 
Front-page news articles about breaches at major corporations, and the
accompanying losses, has made this issue impossible to ignore.

Security begins with
According to Keynote Speaker, Emily Mossburg, Principal at
Deloitte & Touche LLC, security is now on the agenda at Board Meetings and
Executive Committee meetings.  This is a
propitious time to ask for more people and budgets to protect company data.
Nevertheless, it was apparent from listening to both
Mossburg and the other speakers that obtaining the necessary resources will
take greater awareness at all levels of the organization–as to both the
magnitude and the nature of the problems. 
Sam Curry, CSO and CTO at Arbor Networks recommended a surefire way of
ensuring that security issues stay top of mind at the board level–add security
professionals to your board.
To help build greater awareness, Mossburg recommended
speaking to the organization’s mission and to leadership’s business
objectives.  Paint the picture using
Gartner studies about security spending and describing the business risk of a
single hole.  Help leadership understand
the tradeoffs between rapid development–and data protection.  Explain that priorities, such as innovation
and data sharing, have placed organizations in “catch up” mode–and
that we need to now align the business strategy with security imperatives.
Mossburg also said that we need to change the perception
that things aren’t improving.  We need to
do a better job of expressing progress. 
Adversaries are sophisticated and move quickly.  We need to say we have more governance, we
have better technology, but we’ll never be done. 
When a participant pointed out that not everyone had access
to the board, others recommended enlisting partners from other departments to
help make the argument.  As examples,
they pointed to successes they had had working with Legal, Compliance, and
Finance.  Each has a vested interest in
greater security–and a lot of experience framing conversations in terms that
business leaders understand.
Sales can also help. 
Gretchen Herault, deputy chief privacy officer from Nuance, told us that
prospective customers often want to know how about Nuance’s security practices
before they will close the deal.  Failure
to provide ready answers can delay the sale and/or negatively impact revenue.

Organizations need to
manage security the way they manage other risks
Despite increased awareness, several speakers discussed the
difficulty of getting boards to place a priority on mitigating a risk versus
generating profits.  They said that
executives and boards tend to use financial metrics such as revenue, costs,
profitability, and return on investment to measure success or failure–and to
compare alternative investments.  Costs
associated with risks, and the benefits of risk mitigation, are harder to
In the case of security risk, costs include prevention, and
in the case of a break, restitution of direct financial losses.  They also include less measurable costs such
as brand diminishment which has the potential to lead to lost sales and
customers, price erosion, and the ability to take on more debt or attract
As one speaker noted, businesses take risks all the
time.  It is a question of taking the
right risks.  Businesses never secure all
risks. It’s too expensive. 
Sam Curry said is the same conversation as boards have about
opening a business in a new country. 
Public companies need to articulate the degree of exposure.  Then, they need to figure out what they can
do to prevent risk, what risks are acceptable, what risks they will transfer
(for example to suppliers), and what risks they will mitigate.  Businesses need tools, and processes, that
will help them manage security risk in the same way that they manage legal risk
or operational risk.  
Businesses need to
thoroughly review contracts every time they come up for review to ensure they
keep current with all the changes that are occurring in our understanding of
security risk and prevention.  For
example, companies have long used service level agreements (SLA) to transfer
risk to software vendors.  Now, they are
also implementing risk level agreements (RLA) to transfer security risk.

Technologists need to
speak in languages that businesses understand
Another point that came up, in session after session, is
that successful execution will depend on technologists learning to speak in
terms that businesses understand. 
Mossburg said we can no longer talk about bits and bytes.  Mary Buonanno, VP of IT at Steward Health
Care, stressed the importance of speaking in terms the business can
understand.  At a hospital, she noted,
that can mean talking about how a lack of security can harm patients.
Learning a different language starts with immersion.  Speakers recommended arranging opportunities
for the people building products to get to really know your customers.  Also, after a breach bring all the groups in
the company together to discuss plans for remediation.

Security is a hard
problem to address
Securing a company’s data is impossible, because there will
always be a new threat.  That said
security is also a hard problem to address–even within the realms of the
Security is a many-layered problem.  Prior to the Internet, companies could
prevent many breaches by physically securing the perimeter and on premise
devices such as servers.  Institutions,
with higher security concerns, have long employed tactics such as encryption
and authentication. 
Today, prevention is much harder.  Data no longer stays within the company
boundaries.  Businesses are now highly
distributed and decentralized.
Employees use personal portable devices such as laptops and
mobile phones that may be out of a company’s span of control.  Moreover, many employees work remotely–at
least part of the time.
Company departments regularly exchange data with customers,
suppliers, and other third parties over whom they have even less control.  Next up is the Internet of Things.  As the Target HVAC breach, for one, has
already demonstrated, this innovation will significantly multiply the
Because security is a many-layered problem, it requires many
layers of defenses.  Many speakers warned
that achieving adequate security requires awareness and discipline across the
organization, at all levels.  All
devices, applications, systems, software, and interpersonal activities and
interactions are opportunities for exposure.

People are often the
stumbling point
Security technology is just the starting point.  Attention to people and processes are equally
important.  And because change is hard,
and people take the least line of resistance, both technology and processes
must be highly usable.
Some industries, such as government, and in particular the
Department of Defense, have long made security a top priority.  Financial institutions have also done
so–albeit to a lesser degree.  According
to the speakers, these industries are further along when it comes to
implementing widespread processes to securing data–and training and incentives
to increase the probability that people will execute them.
That said most companies are just beginning to address
security issues.  One obstacle has been
that prevention is burdensome.  It takes
time and money.  Worse, it requires
compromise, adoption of new processes, and–hardest of all–behavior change.
A few examples of compromises include accepting: slower
response times for encrypted data, extended time to market for software that
incorporates security features upfront–and time-consuming multi-step processes
(such as sending data over a secure network rather than via conventional email,
or taking a few minutes, between tasks to file papers containing sensitive data
rather than leaving them on a desktop).
In many cases, the technology is there–but awareness,
processes, training, and usability need to catch up.  One speaker told us that the vast majority of
breaches occur because companies fall behind in applying the software security
patches their vendors provide.  Another
warned against using open source software which can speed development, but
often harbors viruses and other security threats.  A third said that her clinicians worry that
security measures will interfere with patient care–especially in an emergency
where every second matters. 
These are but a few examples.  One of the participants, at the unConference
session I attended referred us to a four-part Fortune article about the Sony
breach.  He uses it with his management
to raise awareness of the non-technical gaps that lead to breaches.

Advice for managing
the people issue
Speakers recommended strategies and tactics for managing the
people issue.  Sam Curry recommended
equipping people with checklists.  Mary
Buonanno and Omar Hussain, CEO of Imprivata stressed the importance of ease of
A number of people pointed to the need to distribute
ownership of the problem throughout the organization–and for that matter up
and down the supply chain.  As Charlie
Schick from Atigeo asked, “How do we get partners to be as paranoid as we

One recommendation was to keep asking questions about
people, processes, and technologies. As noted above, many companies now require
audit their vendors and suppliers to undergo security audits.

Upcoming Events


Related Articles