[ISN] What your CEO thinks about security (and how to change it)

InfoSec News isn at c4i.org
Thu Oct 21 04:11:29 EDT 2004 

http://www.computerworld.com/securitytopics/security/story/0,10801,96803,00.html

Advice by Larry Ponemon 
OCTOBER 20, 2004 
COMPUTERWORLD

Up to now, enterprises' security budgets have been so lean they could
almost be considered anorexic.  That's because CEOs have considered
security as necessary but haven't bought the argument that there is an
economic advantage to going above a minimal level of security.
Unfortunately, CEOs have persisted in focusing on four basic questions
that too often stump the most savvy IT professionals:

* What is the security return on investment? 

* What is the probability of a catastrophic security failure? 

* What is the cost of self-insuring against security risks? 

* What are the tangible benefits of being an industry leader for 
  security?

To help IT professionals talk to CEOs about security issues, a newly 
formed think tank called the Security Leadership Institute, sponsored 
by Unisys Corp., has conducted in-depth interviews with CEOs and board 
members. Board members of the institute (including myself) -- 
recognized security experts from business and government -- 
interviewed more than 25 CEOs and public-sector agency chiefs, 
focusing on what they think the value proposition of security is to 
their enterprise. We believe that the results from our work will help 
IT professionals make the case for the many benefits that can be 
realized from a more robust investment in security. 

What We Learned 

Most CEOs interviewed in our study viewed both physical and 
information security as purely tactical, rather than as a strategic 
imperative. In their minds, security means either protection of assets 
or prevention of IT-related risks, such as hacking attacks and other 
cybercrime. Some CEOs viewed security as an element of a larger 
business risk-management process. In almost all cases, though, CEOs in 
the private and public sectors did not embrace security as something 
directly related to corporate mission or strategy. 

In short, the CEO perspective was consistent with what we already 
knew. That is, they view security as an operating necessity, not as a 
business opportunity or marketplace advantage. The following are a few 
of the comments these leaders made when asked to explain, in their own 
words, the value proposition of security: 

* Security is all about preventing bad behavior from affecting our 
  organization. 

* The only value of security is the prevention or fast detection of a 
  breach or violation. 

* There is no real value in becoming the industry leader or exemplar 
  for security. 

* Too much security and a control orientation will prevent our 
  organization from taking justifiable risks. 

* Most security technologies don't work and are a waste of time and 
  resources for our company. 

* Security spending is a pure cost of compliance. 

* Security is best handled as a middle management responsibility. 

* Most security problems occur because of sloppy internal procedures 
  rather than poor IT controls and safeguards.

Despite the consistently nonstrategic tone of the responses, we 
decided to probe further based on our gut instinct that there was 
something more to learn. We believed that CEOs understood the 
consequences of bad security practices but couldn't quite articulate 
the value proposition of good security. So we asked questions that 
focused on outcomes or consequences of maintaining a secure 
environment. 

The Trust Factor 

The answers to those additional questions revealed that CEOs fully 
acknowledge the value of having a secure environment as a way to 
protect brand and reputation. In their minds, superior IT and physical 
security practices are necessary to achieve organizational 
trustworthiness in the eyes of key stakeholders. 

According to our interviewees, organizations that do it "right" in 
reaching a high trust status achieve real advantages, such as employee 
productivity, customer loyalty, product or service innovation, reduced 
failure and decreased compliance risks. 

We asked them to define what they would consider to be a trusted 
enterprise. The definition below is based on common themes that 
emerged from our discussions. 

 "The trusted enterprise is an organization embracing a set of 
 corporate values and behaviors that guide all business practices. 
 It is a highly ethical organization that treats its customers, 
 employees, partners and shareholders with respect and stewardship. 
 The CEO and board are deeply engaged in managing the organization's 
 operating risk in a way that delivers maximum value in a safe and 
 secure environment."

We collected several interesting case histories from CEOs that help 
explain their view of the benefits of becoming a trusted enterprise. 
Here are just two examples: 

* A regional hospital is investing heavily in technology to increase 
  facility security and protect its patients, particularly infants. It 
  recently implemented a wireless solution to track employee movement 
  within the hospital. Although there were initial concerns from 
  nurses that tracking would be used as a tool to measure productivity 
  surreptitiously, they soon discovered the real benefits. Not only 
  did patients and newborns' parents gain greater security and peace 
  of mind; the messaging capabilities also allowed more mature 
  patients to communicate their care needs directly to their nurses 
  rather than through room-to-room paging systems. Nurses found that 
  the tool helped them deliver superior patient care. 

* A Canadian technology company working to comply with U.S. Department 
  of Justice security requirements discovered the unintended benefits 
  of speed and operational excellence. As they sought to meet security and 
  network availability requirements, they developed new processes and 
  applications that reduced their computer restore and repair time 
  from a day to minutes. They are now exploring packaging these 
  applications to create a new set of products and services to offer 
  their customers. 

Becoming a Trusted Enterprise 

So, what does it take to become a trusted enterprise? First, according 
to the CEOs, a trusted enterprise manages its security 
responsibilities in a more holistic way than less trusted ones. For 
example, trusted organizations are more likely to integrate security 
into core business processes and to establish oversight and governance 
through cross-functional teams that span the entire enterprise. 
Second, they know it is important to have a highly secure environment 
to protect brand and image in the marketplace. For example, trusted 
organizations are more likely to have implemented IT resilience to 
endure attacks by malicious employees or hackers. 

According to CEOs, the trusted enterprise achieves harmony between 
security and business goals by pursuing four basic operating 
principles. 

* Proactive management of operational risks, such as security and 
  internal controls, by paying close attention to early indicators of 
  problems that might diminish the entity's brand or reputation in the 
  marketplace. 

* Transparency in core operating practices, especially those 
  concerning the ethical use and sharing of sensitive or confidential 
  business information. 

* CEO and board understanding of the organization's risk profile, 
  providing executive-level support and necessary resources to achieve 
  security goals. 

* Compliance-savvy culture, with clear accountabilities for security 
  and control promoted and vigorously monitored throughout the 
  enterprise.

Take Action 

If you find it hard to talk security with your CEO, here are five 
issues with potential business impact that resonate with top 
executives and could be excellent points to include at your next 
meeting: 

1. We need to stay ahead of the curve on new and emerging regulatory 
   requirements. 

2. We will aim to have fewer network security breaches and downtime 
   from network failure. 

3. Our programs will provide better control over assets and our 
   intellectual properties. 

4. We will empower employees to understand their responsibility in 
   creating a secure workplace. 

5. We will create a culture that respects the importance of protecting 
   information entrusted to the company's care.

While security may not be a top-of-mind consideration for senior 
executives, the Security Leadership Institute's research indicates 
that trust will get their attention. We now believe that CEOs really 
can see the need to incorporate security as a foundation for their 
trusted enterprise. 


Dr. Larry Ponemon is chairman of Ponemon Institute, a think tank in 
Tucson, Ariz., dedicated to ethical information management practices 
and research. Ponemon is an adjunct professor of ethics and privacy at 
Carnegie Mellon University's CIO Institute and is a CyLab faculty 
member. He can be reached at larry at ponemon.org.

More information about the ISN mailing list