Strong Tone at the Top - the Critical Missing Success Factor in IT Security

New and increasingly sophisticated threats to personal, corporate, and government data are raising the most serious challenges to IT Security ever seen. Advanced Persistent Threats, “Ransomware” and other, previously unknown attack methods are being used to either employed not by bored hackers and scam artists bent on malicious mischief or petty crime, but by professionals working for international  cybercriminal gangs, terrorists, even governments.

All of this increases the importance of a positive Tone at the Top – a demonstrated commitment by CEOs and Boards to a risk-aware culture that translates to individual personal commitment at every level of the organization. 

One of the first Chief Executives to recognize the importance of Tone at the Top was Harry Truman - PRESIDENT Harry Truman. His famous desk sign that said "The buck stops here" was meant to establish that he was the person finally accountable for any failures that happened anywhere in his Administration.  The unspoken message delivered EVERYWHERE in his administration was that, before the buck finally stopped at the President's desk, it had to travel past every other desk, where everyone had an opportunity, and a responsibility to do the right thing, avoid doing the wrong thing, and fix what had been broken before it was too late.

All of us are familiar with the results when the Tone at the Top message says "The buck must have gone by when I was busy discussing my stock options with the Compensation Committee".  Just think of BP and the Gulf Coast Oil Spill, or JP Morgan Chase and triple-A-rated mortgage-backed securities that turned out to be junk.

In fairness, according to several recent surveys, CEOs and CFOs are becoming more aware of the linkage between IT Security and corporate risk.  But as PWC's Global State of Information Security Survey for 2014 shows, senior executives are finding it hard to keep themselves, and their companies, ahead of determined cybercriminals armed with increasingly sophisticated tools and methods.

As a result, while Tone at the Top is slowly improving in regard to IT Security, it has a long way to go. Weak Tone at the Top now often takes the form of an enduring intellectual laziness about technology and its risks, and a disconnect between rhetoric and resources. It can show up in a naïve belief that technology without enough dedicated professionals to monitor and respond to it can provide security all by itself.

Weak Tone at the Top can also take the form of a deafening silence from Executive Management about the importance of risk-aware behavior on the part of all employees, including executives themselves. Executive self-exemption from personal responsibility for IT Security is behind some surveys that show over 30% of security breaches being traceable to senior executives. Regular communications from the top down, all reflecting  a consistent message about how to identify and avoid cyberthreats are the exception, not the rule, while "You're all in this together" is what most employees hear.

Finally, weak Tone at the TOP manifests in a failure to tie promotions and bonuses to risk-aware performance by managers as well as subordinates. When executives whose errors of omission or commission lead to security breaches are not held accountable, the message to everyone else is clear: Management talks a good game, but doesn't play one.

If Tone at the Top is to support the increasing demands on IT Security executives and their staffs, Executive Management needs not only to talk about how seriously it takes security, but match its rhetoric with a few simple, diligently-applied principles.

First, recognize that the risk universe is expanding and evolving faster than ever, that today's cyber criminals are more capable than ever, and that they are also more ambitious in their goals than ever. Basing today's security strategy on yesterday's threat landscape is the 21^st Century equivalent of Maginot Line thinking. To meet the kinds of threats posed by today's cyber criminals requires imagining what they imagine and creating the kinds of defenses that match their imagination.

By definition, this cannot be done with overworked, shrunken staffs. Cutting security staff and failing to invest in security technology in the name of efficiency usually has the opposite effect. Since the Great Depression, companies that have blindly cut costs have almost always fallen behind in competitiveness to companies that look for – and usually find – real efficiencies in technology-enabled business processes.

Second, hold the most senior person in the organization accountable for major security failures. This is the toughest challenge in improving security-related Tone at the Top. But only when a CEO, a CFO, a COO or even a Chairman of the Board knows that he or she can be fired for a failure of security all the way at the bottom of the organization will EVERYONE know that Executive Management is living up to its own rhetoric.

Big Ideas to help counter structural unemployment

In January, Martin Ford's blog Future Technology and Economics carried a post called Jobless Recovery and the Jobless Future.  A very interesting post with links to other very interesting posts.  Ford says

In the past two decades, information technology has advanced dramatically and is increasingly being employed to eliminate jobs of all types. Job automation technology, together with globalization, has been the primary force behind the stagnant wages and diminished opportunities for less educated workers we've seen in recent years.

Ford is right about the last two decades, but this trend actually began as far back as the beginning of the 20th Century, when the first telephone switchboards came on line. Every major economic downturn since then has been followed by a technology wave that caused permanent job losses. Amy Bix talked about this in her 2000 book Inventing Ourselves Out of Jobs?: America's Debate over Technological Unemployment, 1929--1981.

Since the late 1960s, every veteran information systems professional - including me - has witnessed company after company invest in new technology in order to either not add jobs or to cut them. Wage stagnation and diminished opportunities also go back a lot further than two decades, and helped cost Jimmy Carter his second term.

Don Peck's essay How a New Jobless Era Will Transform America, in the March issue of the Atlantic monthly, and Peter Goodman's The New Poor - Millions of Unemployed Face Years Without Jobs in this Sunday's New York Times only add to what we already know - our familiar economic model, based on continuous consumption and consumer debt, no longer works as an engine of good jobs.

If we want those jobs to start growing again, or to at least mitigate the effects of increasing structural unemployment, we will need a new model, based on sustainable principles, including people-intensive R&D, production, distribution, and servicing.

Here are some big ideas that could jump start a Sustainable American Economy. I believe they could, if  nothing else, turn structural unemployment from a deadly threat to America's future into a manageable condition:
 .
A National Sustainable Infrastructure Project. Felix Rohatyn's 2009 book Bold Endeavors: How Our Government Built America and Why It Must Rebuild Now (New York: Simon and Schuster, 2009) describes how ten National Projects transformed and renewed the US economy, and created millions of private-sector jobs. Rohatyn's list includes

1. The Louisiana Purchase
2. The Erie Canal
3. The Transcontinental Railroad
4. Land-Grant Colleges
5. The Homestead Act
6. The Panama Canal
7. The Rural Electrification Commission
8. The Reconstruction Finance Corporation
9. The GI Bill
10. The Interstate Highway System

Even if we add the Apollo Project and the Internet, it's obvious that the United States has not had a National Project in over three decades.  And the last one on his list arguably contributed more than any other factor to our national dependency on fuel-inefficient cars, the decline of passenger railroads, suburban sprawl, and the economic destruction of urban centers.

But the others had the collective effect of turning the US into- until recently - the greatest economic power in history.  Every dollar invested in the Land Grant Colleges, for example, has resulted in many times that amount in local jobs and tax revenues, new companies, and advances in technology.

The deterioration of our national infrastructure threatens to undo even the possibility of an American economic renaissance.  We could expand Rohatyn's basic concept to create a new and sustainable national infrastructure, funded by a National Infrastructure Bank. Such a new National Project would not only secure a place for the US in the new global economy, but would likely create millions of new jobs from the day it begins.

Property Assessed Clean Energy (PACE) Bonds. Affordable energy conservation and efficiency loans advocated by PACE Now, and attached to the home rather than the homeowner would make these investments almost "an offer you cannot refuse".  Homeowners would see a quick and permanent drop in their energy costs, usually exceeding the cost of paying back the loan.  PACE-secured loans would create major opportunities for sustainable home renovations that would dramatically reduce energy consumption.

A National Industrial Strategy.  An aversion to anything that smacks of national planning runs deep in American culture.  But crises create opportunities to force people to rethink.  A national industrial investment strategy built around sustainable technologies and local economies may be essential if the US is to once again become competitive with rising economies around the world.

Do we actually NEED mandates to ensure (near) universal health care coverage?

If we want to stop scaring off libertarians and get them on the side of universal health insurance coverage, here's one way to do it:  Make every adult legally responsible for every nickel's worth of health care services they receive.

That's right. Have every doctor and every hospital make every patient, including emergency room patients, sign a form assuming full financial responsibility for the services they receive, and include a warning that their financial resources may be seized if they default.

At the same time, give the same patients a disclaimer saying that their financial obligations can be met through either their own funds or through insurance coverage. Empower the same providers to offer immediate, guaranteed private insurance coverage to anyone who shows up with no insurance. Allow the providers to act as agents for a list of qualified insurers, all of whom offer the same basic package, and add-on options at the same regulated rates. Give them the option of paying the first premium on the spot or getting a bill.

If you had a the completely free choice between having everything you owned seized if you didn't pay your medical bills and getting guaranteed insurance coverage for the same services, which would you choose?

We don't have to kill the health insurance industry to reform it.

I am convinced that we are fighting for health insurance reform on a battlefield chosen by the enemy. Pushing for a public option as the only way to reform the current system has played into the hands of skilled lobbyists, propagandists and politicians working against the public interest. Insurers and their allies on the Right have been effectively leveraging the public option to tap into the cultural paranoia about government that still runs deep in much of America.

In fact, a public option is a means, not an end, and we need to start treating it as such. If we focus on the end - guaranteeing access to affordable health care to everyone who needs it - there are several possible means to that end.

Why not start by targeting the specific industry abuses that Wendell Potter talked about in his June 24 testimony to the Senate Committee on Commerce, Science and Transportation? We have known for decades that many of the worst defects in our health care system are directly traceable to the abusive practices of a politically-powerful for-profit health insurance industry. Legislating these practices out of existence would be as effective as a public option. It would also be much easier than trying to argue with people who think that Sarah Palin makes sense.

Here are a few things we can and should start fighting for:

1. Rewrite ERISA, the horribly misnamed Employee Retirement Income Security Act of 1974. As this 2001 study shows, ERISA has pre-empted meaningful state laws regulating health insurance companies. One such law, a Texas law signed by then-Governor George W. Bush allowed lawsuits against abusive practices of health insurance companies. Until the Supreme Court overturned it - and barred any other state from passing similar legislation - the Texas law had resulted in dramatic reductions of insurer abuses in the name of profit. Simply adding a sentence that says ERISA cannot be construed to pre-empt state regulation of health insurance companies would be a body blow to the entire industry.
2. Outlaw rescissions, sometimes called post-claim underwriting. When I say outlaw, I mean criminalize the practice of retroactively canceling coverage for people who file legitimate claims. And when I say criminalize, I mean make any executive who orders or authorizes rescissions subject to massive fines and jail time. And when I say massive fines, I mean prohibit anyone from covering the fines on behalf of the perpetrator.
3. Require any insurance company operating in more than one state (including holding companies with multiple single-state divisions) to be subject to strict rate regulation by independent rate boards.
4. Require any insurance company to cover any person, regardless of pre-existing conditions, who applies for coverage, and to pay claims within 15 days of receipt, period.
5. Prohibit cancellation of group coverage for small businesses based on claims histories.

There are probably a dozen more practices that you and I could name, and whose demise would mean the end of predatory health insurance business models. Going after these, which NO one but a Limbaugh can defend, would keep the insurance companies as honest as pushing a public option that is becoming little more than a lightning rod for opposition.

Focusing on single-payer health insurance confuses strategies with goals

We need to start thinking more critically, and less ideologically about health-care reform. Focusing exclusively on a single-payer system confuses strategies with goals. Ignoring the mixed public-private systems that work all over Europe plays into the strategy of those who have no such confusion. THEIR goal is clear: protect the unregulated freedom of health insurance companies to ration coverage and care in order to maximize profits and executive compensation.

In February, the Organization for Economic Cooperation and Development issued a report on the deficiencies of our current system, with detailed recommendations for reform. The OECD report focuses on issues that get too little attention from political interest groups or the media. This is a serious report and demands a serious read.

Also, in July 2001, the Heritage Foundation issued a report on European health care systems that really surprised me. Although the report is eight years old, it contains some still valuable findings and still useful recommendations. Of course, this was in 2001, before September 11, and before the Bush Administration had fully demonstrated its total allegiance to free-market absolutism.

Predictably, the report was overly critical of the flaws of the European systems, especially, and also predictably, the French. But they also included reasonable “lessons learned”, and virtual endorsements of guaranteed, affordable coverage for all.

Most surprising: all the European models Heritage discussed, except the Swiss, combine publicly guaranteed insurance with private supplemental insurance. And all the flaws are both marginal and correctable. I have always distrusted Heritage because of its ideological bias toward unregluated free markets. But, in this report, the knee-jerk, evidence-free rejection of government regulation of the health care industry, which Cato and others still embrace, is missing.

On this occasion, and perhaps unintentionally, they went off the script. They got a few things right that we can actually leverage for real health care reform.

Wave and Tidal Energy - again the Next Big Thing?

Thanks to Laurel Krause at Mendo Coast Current for capturing this story from yesterday's Christian Science Monitor.

I live not far from Pennington, NJ, the home of Ocean Power Technologies, but that's not the only reason hydrokinetic energy interests me. Wave and tidal energy resources off the New Jersey Coast could add as much as 100MW to New Jersey's renewable energy potential. That's 50% of the state's still contentious target for onshore wind.

OPTT and other US wave and tidal companies have always struggled in the States, but have gotten a lot of attention from Spain, Portugal, the UK ( especially Scotland) and Northern Ireland. Spanish and Portugese projects have fallen victim to the dryup of alternate energy investments but the US now actually seems interested. If wave and tidal actually take off in the the US, California and New Jersey are probably where they will happen first.

The Electric Power Research Institute (EPRI) maintains a complete directory of active wave and tidal projects, along with extensive reports on wave and tidal R&D. They also published a very informative research report in 2007.

Wave and tidal technologies compete with elevated offshore wind turbines for public and policymaker attention - and funding. They also cost a lot to build and maintain. Another problem is that tidal and wave technologies are still in the early, pre-commercial stage and probably five years away from large scale deployment. While they are coming up to speed, wind, solar, biomass, conservation and efficiency technologies will continue to advance.

That creates the risk that wave and tidal technologies could permanently lag behind in the competition for investment and customers, and remain niche technologies forever. The upside is that niche technologies can do really well if the niche is big enough.

Thinking nuclear

I have always looked at nuclear power with a lot of skepticism. Not because I think it is impossible to solve the plant safety and waste disposal issues, but because I have no faith in the industry's willingness to put those issues first and profitability second.

Still, the idea of safer, smaller, distributed nuclear plants has intrigued me since the 1970s. A recently-updated article on the subject makes the idea seem a little closer to reality.