Information security is a top priority for Blackstone Group, both at the corporate level and within its portfolio of companies. It’s established an information risk and security community across more than 50 if its largest portfolio companies, where chief information security officers and other senior personnel exchange ideas on almost a daily basis about how to protect their companies.

Blackstone earlier this year acquired a majority stake in Accuvant, a provider of information security solutions and services. Blackstone has also made small minority investments in emerging security companies, including Carbon Black/Bit9, iSIGHT Partners, WatchDox, and Cylance.

“I have had the opportunity to work with some of the security investments that we’ve made,” Jay Leek, Blackstone’s chief information security officer, told Markets Media. “We’ve done four VC-like security investments over the past couple of years, and I have been heavily involved in three of them, and then we did our first private equity cybersecurity investment earlier this year also. So I’ve had the opportunity to be very engaged in the private equity investment side as well.”

The increased prevalence and complexity of cyber-attacks has made information security a board-level issue at corporations across the world. Blackstone has committed significant time and resources to evaluating the industry landscape and key vendors in the market.

“We’re constantly thinking about the cyber threat landscape, and obviously that continues to become more and more dangerous as we’re all aware,” said Bill Murphy, chief technology officer at Blackstone. “Our belief is that it’s getting more and more complex. We want to be able to react quickly and make sure that any cyber attempt is thwarted very, very quickly, even after possibly bypassing first or second line of defense. We think that kind of layered security approach is extremely important.”

The increased use of cloud-based computing represents a potential security risk, one that’s assuming critical importance for outsourcing decisions. “The issue is how you go about doing third party risk assessments for your cloud vendors,” Leek said. “Anytime you’re putting something into the cloud, there’s a vendor attached with that and their process for accepting your data, processing your data, and hopefully treating it like their own, is extremely important.”

There are multiple information risk and security considerations in deciding to put anything into the cloud, much less deciding on a vendor to partner with. “Whether you’re moving a process, or planning how your data’s being managed throughout the entire life cycle, it’s very important to consider this upfront, during and then after,” said Leek.

The number one cyber security risk, according to Leek, is the non-malicious, well-intending insider. “That could be the insider that’s in my organization that’s an employee of our firm. It could be an employee of XYZ cloud vendor that we’re looking to use. They’re trying to do the right thing,” Leek said. “In the process of doing that maybe they circumvent some process to make it easier to streamline or make it more efficient, but they put your information at risk.”

The second biggest threat comes from outsiders, whether it is someone trying to steal information from an organization, and the third is the malicious insider.

“This is your employee or insider contractor, whoever it may be, that is intentionally trying to steal something or disrupt something,” said Leek. “Then I would say the last threat would be ‘hacktivism’, where they’re trying to disrupt your service through denial of service or to create havoc with your business and not necessarily steal anything, but inflict harm to your organization as a result.”

Featured image via Dollar Photo Club