Software Defined Networking and Cyber Security: Why Your Audit Committee is Looking over Your Shoulder

About the author:

George de Urioste is Chief Financial Officer for Pluribus Networks, Inc. In his 30+ years of experience, he has served as Audit Committee chairman for 6 companies, public, private and not-for-profit and CFO at three public companies. He’s also currently active as an audit committee chairman for a technology company.

Now permeating Board rooms across America: Audit Committees challenge CIOs and CFOs to “stop assuming network security protections are adequate!” They ask: “What’s our risk of becoming the next Anthem, Target, Sony, eBay, Home Depot (cyber breach)?”

The perplexing translation of the above question is: how well do we search for something we don’t know, then “lock it down?” The predictable response: a “deer in head-light” stare from the CIO and CFO.

At a conference for audit committee chairmen, there was quite a somber panelist: He’s a supervising agent for the FBI for northern California. He challenged us with questions to ask our CIOs. I’ll share the story he told (paraphrased for length). First, he explained the FBI’s perspective – it’s “when, not if” your company will be victimized by cyber theft. He emphasized that the percentage of companies being hit is far, far higher than what is reported in the media, because “we at the FBI get calls ‘all the time.'” He explained: most companies are too embarrassed and avoid public disclosure. Why? Part of the reason is that in most circumstances, the cyber thieves have been inside the network undetected for significant lengths of time, before the company discovered the breach and damage.

Here’s his story/analogy: Assume your data center / network is like a building with 40,000 windows. Wisdom requires your windows have locks and security alarms. So you do and you feel safe; you assume your detection mechanisms give you security and visibility. You’re feeling comfortable, but it’s a false sense of risk assessment, he says. The FBI supervising agent further explained: Technology evolves faster than organizations are able to react and adapt. Move aside the porn industry; it’s now the cyber-criminal industry blazing new trails of surreptitious innovation (and what an industry it’s become, with Anthem’s breach being an example). In short, your windows leak.

His commentary continued: companies invest heavily in preventing infiltration and to a lesser degree “detection.” The question he posed for us Audit Committee chairmen to ask the CIO and CFO: How do you prevent exfiltration? The FBI supervising agent elaborated as follows: First, assume you can only minimize, not prevent infiltration. Secondly, regarding detection, you need tools that enable deeper visibility into your network. Existing network security tools are very good.

However, the inherent design of data flow in networks enables no shortage of hiding places for cyber thieves. Invest in technology that collaborates with security tools to enhance their potency. Third, when detection occurs, too often network operators lack an agility of immediate control to prevent exfiltration (that is, prevent the cyber thief from getting out). In short, invest more in tools for “change management.” Damage can be greatly minimized by “locking down” and preventing valuable information from getting out (exfiltration).

As trusted business advisors, CIOs and CFOs and their teams must be aware of the latest technological innovations and their impact on organizations. SDN as a programmable and proactive security archtiecture can be a major element of this. The more agile the network, and the more visibiliy it provides into traffic anomolies, the more active vs. passive protection it can provide. And although CIOs are still judged on network uptime and issue resolution, these are all known elements given proper network design. It is the unknown, as I noted above, that should keep CIOs up at night…the unknowns that can kill a firm’s reputation.

Afterword:

In fact, the CIO and CFO are very adept at fighting the good fight with Cyber thieves. And most are eager to “take’em on, shut’em down.” As one of my CIO friends said: “You wanna mess with my Network? I’ll smoke you out faster than a greased monkey slides down a tree.”

Sign up for our blog digest to get the latest news, business tips, and thought leadership from The Pluribus Blog, every month.

Subscribe to our Blog


About the Author

George de Urioste

George de Urioste’s career includes Chief Operating Officer and Chief Financial Officer roles for several companies, including Marvell Technology, Chordiant Software and Remedy Corporation. He has also been an active senior advisor to Ricoh and Arrayent. As CFO, Mr. de Urioste led Remedy through a highly successful IPO and continued expansion. He currently serves as Board Director and Audit Committee Chairman for Bridgelux, Inc. and Vendavo, Inc. and has past public company Board experience. His 30+ years of experience include serving as past President of Financial Executives International in Silicon Valley. George is also a CPA (inactive).