Report: Cybersecurity bigger than an IT problem

Companies that confine cybersecurity concerns to the information technology department put their bottom line at risk, according to a report released Wednesday by the Internet Security Alliance and the American National Standards Institute. The groups conducted the report in response to a request in the Obama administration's Cyberspace Policy Review that better financial metrics be placed on cybersecurity hazards.

Highlighting that cyber attacks cost U.S. businesses more than $1 trillion in intellectual property in 2008, the report offers a framework for how companies can better organize themselves to address these threats, which can result in public relations crises and major data breaches.

One of the report's central points is that effective cybersecurity requires effort beyond the IT department, which is not seen as a growth area for companies and is often underfunded. "If anyone still thinks IT is going to solve the problem: ain't gonna happen," said Joe Buonomo, president and CEO of Direct Computer Resources, among the industry and government stakeholders that helped develop the report. The report suggests that cybersecurity concerns should be handled at the top levels of corporate structure, drawing in the board of directors.

The report also urged companies to think of cybersecurity as a financial problem that should be addressed by companies' chief financial officers. Currently, "all the economic incentives favor the attackers," according to Internet Security Alliance President Larry Clinton, arguing that cybersecurity attacks can be executed cheaply but result in substantial gains for the attackers. For this reason, companies need to make greater investments in protection, according to the report.