Few topics today are gaining as much media attention as data security. Business systems at retailers, banks and financial institutions are being hacked routinely.
For a while, it was a trend. It started with Target, followed by The Home Depot, then JPMorgan and nine other financial institutions and brokers. These data security breaches join Dairy Queen, Goodwill, Kmart, Michaels, Neiman Marcus, P.F. Changs, SuperValu and UPS.
Data security breaches can bring down a CEO. Consider Target, where the first large publicized retail hack attack took place. The Target CEO resigned shortly after the story of the breach broke, as did the chief information officer, an executive with a very strong background in information security.
Target’s board of directors was also under significant pressure. Proxy firm Institutional Shareholder Services recommended that investors oust seven board members because the board failed to protect the company. The board members were able to persuade shareholders to re-elect them, but the message was clear: Future data security breaches are considered their responsibility.
Unless actions are taken, there will undoubtedly be more security hacks in the future. Organizations will need to make more aggressive investments to deal with potential security issues. That’s likely whyJPMorgan announced plans to double its cybersecurity investment over the next five years.
Generally, data security issues are viewed as the IT department’s responsibility, and framed as hardware and software issues. But at least some of the responsibility rests with the learning and development organization.
Much of what occurs as a data security breach involves business processes, not just the systems hardware and software. Significant vulnerability is tied to the humans who use different organizational systems.
One way to deal with security issues is to hire a consulting company to do an analysis of different systems operations and procedures. This is an expensive alternative and provides a limited term protection as businesses become ever more dependent on a global network, and hackers grow more sophisticated.
Expensive contracted services are not an organization’s only option to increase enterprise security. There is a learning option, especially when it comes to in-house capabilities to develop security defenses.
Cybersecurity is about managing information-related risks to keep our networks safe and secure. The National Information Assurance Education and Training Program, under the authority of the U.S. National Security Agency and Department of Homeland Security, has designated 44 education institutions as National Centers of Academic Excellence in Information Assurance Education for the academic years 2012-17.
Below is a small sample of Bellevue University’s offerings. One of the most interesting things about this particular sample is the connection between data security threats, fraud and business operations. (Editor’s note: The author works for Bellevue University.)
CIS 608: Information Security Management
Identify vulnerabilities and threats associated with information assets. Implement policies, standards, procedures and guidelines to ensure confidentiality and integrity of assets.
CYBR 433: Cybercrime and Business
Define the methodologies in committing cybercrime based on real-world case studies. Relate core security concepts to financial matters such as economics, budgeting and accounting. Evaluate cybercrime threats, vulnerabilities and exploits in terms of business functions.
CYBR 545: White Collar Crime
Categorize core concepts related to fraud,cyberinvestigations and protecting privacy. Formulate plans for establishing economic, finance and accounting controls to reduce risk.
Historically, learning organizations have protected their organizations against risk through compliance learning programs. Now this cybersecurity risk has raised its head, and once again learning has the potential to contribute significantly to risk mitigation — this time with an innovative approach to this serious external threat to the enterprise.