As personal, commercial, and government activities continue to migrate to the digital realm, so do criminals. Large-scale cyber attacks are becoming more frequent and more costly for businesses in the United States. Attackers are better funded, more sophisticated, and better organized than in the past, often representing criminal networks or states. Dozens of US banks have suffered cyber attacks over the last year at the hands of foreign attackers. Cyber crooks stole 3.6 million social security numbers and nearly 400,000 credit card numbers and tax data from South Carolina Department of Revenue computers, saddling the state with $20 million in cleanup costs so far.1 Better security is not going to come cheap. According to Bloomberg, financial services firms will have to boost annual average cyber security spending 13-fold to nearly $300 million each to fend off 95 percent of cyber attacks.2
As enterprises and government agencies increasingly adopt cloud, mobile, and social computing, information technology (IT) environments are becoming more difficult to defend. Increasingly, organizations need to accept that security breaches are inevitable. Security strategies need to go beyond defense to include detection, response, and recovery. All this gives rise to a need for new skills and approaches and specialized tools and services, including continuous monitoring and threat forensics powered by analytics.
Cyber security is increasingly becoming a concern among corporate leadership, including boards of directors. A biennial study of enterprise security governance practices by the Carnegie Mellon University CyLab found a sharp rise in board-level attention to the topic. Among companies surveyed in 2012, 48 percent have a board-level risk committee responsible for privacy and security, up from just 8 percent in 2008.3