What Is Keeping Your COO Awake at Night?

risk management developed in response to a demand for solutions that minimize risk to a tolerable level. The question became, not how many products are crammed into your system - but what level of risk can you live with?”

Developing risk profiles for clients is a Unisys specialty, with the company’s client roster as its fundament. Having developed a solution that contracts Client A’s risk to tolerable, Unisys has sharpened the expertise it brings to the solution under construction for Client B. This would be especially valuable to Client B if it happens to have a tolerance for risk approaching zero.

“Banks and financial institutions are very vulnerable,” Kelleher said. “And security is not their core competency. Unisys is a leading provider of services to these clients, who either outsource their cybersecurity to us or engage us on a consultancy basis. We also serve a number of federal agencies, notably the Department of Homeland Security.”

Kelleher pointed out that, to a much greater extent than the general public may realize, the U.S. government is under unremitting cyberattack by other governments and other organized groups. The incursion threat — to administration, transportation, disaster response, etc. — changes constantly. Ten years ago, breaking into the Pentagon’s computers was the province of the fame-seeking mischief-maker. It is now the earnest pursuit of entire sovereign nations (some actually have paid for the design of viruses specific to U.S. federal computers) and of organized crime professionals. “The main thrust is now financial,” said Kelleher. “Over the past three to five years, cybercrime has overtaken traditional organized crime focus areas in terms of illegal profits generated.”

IT security evolves along with the dangers. Asked to estimate the size of the market, Kelleher said, “It’s a big number. You will hear anything from $20 billion to $200 billion. What can be said with certainty is that, between government and industry, the IT security market is growing at the rate of 17 percent or 18 percent a year.” That market growth shows no sign of slackening; and demand for cybersecurity services will grow in tandem. What can be expected is a perpetual stand-off between those who would maintain the integrity of their corporate infrastructure and those who would breach it. As the tools in both sets of hands become more sophisticated all the time, what advice does Unisys offer for gaining and holding the advantage?

Obviously, the safeguards have to be shored up. Firewalls alone will not be sufficient protection. Tim Kelleher puts equal emphasis on another line of defense: discussion — candid, regular, ongoing - among American companies, and between corporate America and Washington. Unisys sees every equipment manufacturer as part of the chain of defense. In this area, at least - and against instinct — industry and government have got to acquire the sharing habit. “We need to have an early-warning system,” Kelleher said. “As soon as danger is perceived — a breach, or even an attempt - we have to inform others instantaneously, and mount an effective counterattack. At our company, for instance, when a worm is detected we can be writing and distributing the patch before most of our community of interest even knows that there’s a problem.”

The big challenge here is, of course, the unwillingness of companies to disclose that an invader has infected them and done damage. It is a legitimate concern, especially strong in those with reputations as safe havens. As Kelleher notes, “No bank wants to see on the front page of the New York Times that it’s had a breach, that its depositors’ confidential information has been compromised.”

Can banks and others with a culture of institutional reticence report trouble without paying a penalty in notoriety? Kelleher hopes a way can be found, because he believes the industry-government collegiality he recommends must be learned, and fast. The sun never sets on the flat world created by the Internet; and every computer in that world can access every other.

More
Anotherarea in which Unisys can offer help is compliance with regulatory mandates both general (that is, Sarbanes-Oxley) and industry-specific. Until the culture of self-policing prompted by the Enron scandal takes firm hold, compliance matters may well strain the resources of even a very good in-house legal department. Clients of Unisys benefit from its broad knowledge of what constitutes acceptable due diligence. The company also has a ready familiarity with the imperatives of the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO).