The HeartBleed security vulnerability has been making the news for the past 3-4 weeks. Heartbleed is a complex security vulnerability that was discovered in a widely used internet software tool that was actually used to provide security when accessing sensitive data across the internet. By deploying this software, thousands of organizations unknowingly introduced security risks to their most sensitive data. Even some of the best technology companies in the world were victims and distributed the security risk in their software.
Heartbleed is a serious issue. However, the broader issue for business executives is accountability for securing digital assets and information. Heartbleed provides an opportunity for you to assess how your organization manages digital security and avoid becoming the next Target (recently the victim of a large-scale internet security breach where millions of credit cards were stolen). As an executive with fiduciary responsibilities for securing valuable company assets, what processes should your organization have in place to identify these types of risks? What actions should you be taking when security risks like this emerge?
Five Steps to Use Heartbleed to Assess Your Organizations Ability to Address Security Threats:
1. Identify security risks – Did anyone in your organization identify the Heartbleed security risk as a serious issue and assess the risk for your company? Has your organization confirmed whether you are harboring the vulnerability or exposed to it? Is there someone or an external service provider responsible for identifying such risks in the future?
2. Set criteria for executive review and briefing – What risks should be escalated and what risks should be managed within your company? How does your organization assess the magnitude (materiality) of a risk? Defining specific criteria for communicating threats can help you avoid missing a serious risk. Not all security issues are written about in The Wall Street Journal.
3. Ask good questions – You don’t have to be a computer security expert to ask good questions. What is the root cause? Where did it originate? What is our exposure? What actions can we take to mitigate the risk? If the answers don’t make logical sense, then they probably don’t make sense. Don’t let computer jargon intimidate your gut sense. Make sure your team can logically explain the situation.
4. Determine action plan – The key is to determine what, if anything, should be done to correct the situation or mitigate the risk. This is a business decision. There is typically a cost to mitigate the risk and you ultimately have to make the decision whether the risk warrants the expense of mitigating it.
5. Know what to say – Finally, as an executive you may be asked by investors, employees and customers about a security risk. Make sure you are informed and can simply articulate your company’s position, risk exposure and action plan. How you answer these questions can go a long way to re-assuring key stakeholders. If you are a financial services firm executive, it does not make your investors very comfortable when you are asked about the Heartbleed security issue and your answer is “I don’t know” or “I am not sure”.
By using Heartbleed to assess your organization’s ability to deal with security threats, you will quickly get a sense of your company’s ability to deal with such threats. This may prevent a Heart Attack in the future.