New and increasingly sophisticated threats to personal,
corporate, and government data are raising the most serious challenges to IT
Security ever seen. Advanced Persistent Threats, “Ransomware” and other,
previously unknown attack methods are being used to either employed not by
bored hackers and scam artists bent on malicious mischief or petty crime, but
by professionals working for international
cybercriminal gangs, terrorists, even governments.
All of this increases the importance of a positive Tone at
the Top – a demonstrated commitment by CEOs and Boards to a risk-aware culture that
translates to individual personal commitment at every level of the
organization.
One of the first Chief Executives to recognize the importance of Tone at the Top was Harry Truman - PRESIDENT Harry Truman. His famous desk sign that said "The buck stops here" was meant to establish that he was the person finally accountable for any failures that happened anywhere in his Administration. The unspoken message delivered EVERYWHERE in his administration was that, before the buck finally stopped at the President's desk, it had to travel past every other desk, where everyone had an opportunity, and a responsibility to do the right thing, avoid doing the wrong thing, and fix what had been broken before it was too late.
All of us are familiar with the results when the Tone at the Top
message says "The buck must have gone by when I was busy discussing my stock options with the Compensation Committee". Just think of BP and the Gulf
Coast Oil Spill, or JP Morgan Chase and triple-A-rated mortgage-backed
securities that turned out to be junk.
In fairness, according to several recent surveys, CEOs and CFOs are becoming more aware of the linkage between IT Security and corporate risk. But as PWC's Global State of Information Security Survey for 2014 shows, senior executives are finding it hard to keep themselves, and their companies, ahead of determined cybercriminals armed with increasingly sophisticated tools and methods.
As a result, while Tone at the Top
is slowly improving in regard to IT Security, it has a long way to go. Weak Tone at the Top now often takes the form of an enduring intellectual laziness about technology and its
risks, and a disconnect between rhetoric and resources. It can show up in a
naïve belief that technology without enough dedicated professionals to monitor
and respond to it can provide security all by itself.
Weak Tone at the Top can also take the form of a deafening silence from
Executive Management about the importance of risk-aware behavior on the part of
all employees, including executives themselves. Executive self-exemption from personal responsibility for IT Security is behind some surveys that show over 30% of security breaches being traceable to senior executives. Regular communications from the
top down, all reflecting a consistent
message about how to identify and avoid cyberthreats are the exception, not the
rule, while "You're all in this together" is what most employees hear.
Finally, weak Tone at the TOP manifests in a failure
to tie promotions and bonuses to risk-aware performance by managers as well as
subordinates. When executives whose errors of omission or commission lead to
security breaches are not held accountable, the message to everyone else is
clear: Management talks a good game, but doesn't play one.
If Tone at the Top is to support
the increasing demands on IT Security executives and their staffs, Executive
Management needs not only to talk about how seriously it takes security, but
match its rhetoric with a few simple, diligently-applied principles.
First, recognize that the risk
universe is expanding and evolving faster than ever, that today's cyber criminals
are more capable than ever, and that they are also more ambitious in their
goals than ever. Basing today's security strategy on yesterday's threat
landscape is the 21st Century equivalent of Maginot Line thinking.
To meet the kinds of threats posed by today's cyber criminals requires
imagining what they imagine and creating the kinds of defenses that match their
imagination.
By definition, this cannot be done
with overworked, shrunken staffs. Cutting security staff and failing to invest
in security technology in the name of efficiency usually has the opposite
effect. Since the Great Depression, companies that have blindly cut costs have
almost always fallen behind in competitiveness to companies that look for – and
usually find – real efficiencies in technology-enabled business processes.
Second, hold the most senior
person in the organization accountable for major security failures. This is the
toughest challenge in improving security-related Tone at the Top. But only when
a CEO, a CFO, a COO or even a Chairman of the Board knows that he or she can be
fired for a failure of security all the way at the bottom of the organization
will EVERYONE know that Executive Management is living up to its own rhetoric.