Cyber security has big business on edge. The thought of theft used to conjure up an image of a black-clad robber breaking into a bank vault. Today that threat is increasingly in the digital world.
High-profile hacks on brands from media and entertainment group Sony to online marketplace eBay have made everyone from executives to business students more aware of the risk hackers pose to the online world.
The threats are real, says David Upton, professor of operations management at Saïd Business School. “Any organisation that relies on computer networks, digital information, the Internet or an Intranet is vulnerable to cyber security risks.”
Research has put a spotlight on the dark world of web crime and has uncovered the scale of the damage done to companies and their relationships with customers.
PwC, the professional services firm, says the number of cyber security incidents reported in 2014 by large businesses surged by 48% globally to nearly 43 million — the biggest increase in attacks since 2010. One in 10 reported breaches costing their company more than $10 million annually.
In the past year, hacks on the likes of JPMorgan Chase and US retailer Target have also highlighted a worrying skills shortage. In the US, 200,000 software security positions are unfilled, with a particular shortage of experts on network security, according to Boston Consulting Group, the consultancy.
The buck does not stop with specialist security experts but with managers and executives, who are increasingly aware that they must develop strategies for combatting cyber crime.
There is a growing need to close the gap between technologists and executive boards, according to Mike Loginov, chief cyber strategist at Hewlett Packard Enterprise Security. “Managing cyber risk is fast becoming an essential leadership skill,” he says.
He believes innovation in business education in necessary to bridge the gulf. Along with Sir Kevin Tebbit, former director of Britain’s spy agency GCHQ, he is backing the National MBA in Cyber Security, developed at the UK’s Coventry University.
Coventry believes the MBA, developed with both the university’s business and computing schools, will marry cyber risk management with executive leadership.
Such programs are bringing new tools to business managers. Similar versions have been launched at the business schools of Oxford University in the UK, and in the US at George Washington University, George Mason University, Temple University and Georgia Tech.
Dr Jason Ferdinand, head of the cyber security management research group at Coventry Business School, says radical new technological developments like the “Internet of Things” are fundamentally challenging the theories of organization and management studies.
“Knowledge of cyber security is fundamentally important for successful management,” he says.
J.P Auffret, director of the MS in Management of Secure Information Systems at George Mason University School of Business, likens the shift in mentality to the way IT has barnstormed boardrooms. He says: “Companies are only now just starting to get on top of it.”
Top universities are recognizing the need to blend business and computing departments to produce tech-savvy managers. “The rapidly evolving cybersecurity problems are complex in nature and require a multidisciplinary approach,” says Amjad Ali, cybersecurity advisor and associate vice president at University of Maryland.
Strategies for combating cyber crime are combining education, and the public and private sectors.
As if to underscore the point, US president Barack Obama made a high-profile visit to Stanford University in California in February. Stanford’s White House Summit on Cybersecurity brought together the CEOs of companies including Apple and American Express, with executives at the Department of Homeland Security and the National Security Council, among others.
Legislating against hackers is difficult but the US government in particular has new powers to target significant cyber threats to critical infrastructure, or threats that disrupt websites or networks, or steal trade secrets and financial information like credit card data.
Businesses are desperate for support against fast-changing cyber threats but many have relied on private cyber security companies rather than government for aid.
There are many advantages to business coordination with government but there are barriers – such as the fact that some companies try to conceal breaches, says David at Saïd Business School. Involvement by central government agencies can also raise issues around privacy and confidentiality, he adds.
The answer lies not just in tech solutions but also in people and processes, cyber experts argue.
According to IBM’s 2014 Cyber Security Intelligence Index, more than 95% of all incidents investigated recognize “human error” as a contributing factor, such as losing devices, using weak passwords, and downloading “infected” email attachments.
Serena Gonsalves-Fersch, KPMG UK Cyber Academy lead, says: “Businesses often find that security incidents aren’t caused by a failure in technology, but because employees do not fully understand the role that they must play in protecting their company’s assets.”
Effective management is fundamentally important to fighting cyber attacks, argues Jason at Coventry Business School. He says managers should set strategic direction and allocate resources for tackling cyber crime.
One strategy companies are taking is educating their employees. A new executive education program on cyber security at Saïd Business School is a sign that business is willing to invest. “The scale and potential costs to an organisation means that responsibility for managing that risk lies with the most senior executives,” says David, who is co-director of the Cyber Risk for Leaders Program.
Executive strategies need to focus on prevention and mitigation, as well as planning responses to a crisis, he argues.
Business schools believe that by offering an education in cyber security at the master and MBA level, they will give their students an edge in the jobs market.
Peter Swire, professor of law and ethics at Georgia Institute of Technology who has advised president Obama on cyber security, says there is an “urgent need” to bring tech and management together.
He trains business students as part of the Information Security Strategies and Policy course to imagine themselves as the chief information security officer of a company.
This gives them the confidence to bring value to their organizations. “They advance in their career, however, by being able to apply the subject-matter expertise in a way that helps more senior management,” he adds.
For most business students cyber security knowledge will be an additional skill rather than a set career path.
But Coventry Business School’s Jason says there are many lucrative positions available, with some offering annual salaries of £200,000+, and demand remains strong for management.
Demand is across sectors, from the industrial industries to healthcare to financial services, according to Jeff Tjiputra, associate professor of computer networks and cyber security at UMUC.
“Cyber security is a fast-growing industry, creating many thousands of jobs each year,” says David at Oxford Saïd. Most large companies now have a CISO, and there is a growing number of consultancies and technology companies offering cyber security services, he says.
Combating cyber crime is becoming a lucrative business. The biggest cyber security company, FireEye, floated on Nasdaq in 2013 and has a market cap of $6.7 billion. Cyber security start-ups raised more than $1 billion in a single quarter this year, according to data from PrivCo. Google, Intel and Cisco have all invested heavily in cyber security ventures.
But there remains a long way to go. The UK government’s FTSE 350 Tracker Report shows that only 30% of boards received regular cyber security intelligence from their CISO, and only 24% of companies based their discussions of cyber risk on management information.
“We cannot expect that all our business managers have sufficient training and knowledge to manage cyber security issues,” says Anna V Seferian, vice-dean of the Business & Management Department at Maryland. “But they will have to have knowledge and awareness of the issues that might come up, and how to mitigate [them].”