Sunday, February 23, 2014

Strong Tone at the Top - the Critical Missing Success Factor in IT Security

New and increasingly sophisticated threats to personal, corporate, and government data are raising the most serious challenges to IT Security ever seen. Advanced Persistent Threats, “Ransomware” and other, previously unknown attack methods are being used to either employed not by bored hackers and scam artists bent on malicious mischief or petty crime, but by professionals working for international  cybercriminal gangs, terrorists, even governments.

All of this increases the importance of a positive Tone at the Top – a demonstrated commitment by CEOs and Boards to a risk-aware culture that translates to individual personal commitment at every level of the organization. 

One of the first Chief Executives to recognize the importance of Tone at the Top was Harry Truman - PRESIDENT Harry Truman. His famous desk sign that said "The buck stops here" was meant to establish that he was the person finally accountable for any failures that happened anywhere in his Administration.  The unspoken message delivered EVERYWHERE in his administration was that, before the buck finally stopped at the President's desk, it had to travel past every other desk, where everyone had an opportunity, and a responsibility to do the right thing, avoid doing the wrong thing, and fix what had been broken before it was too late.

All of us are familiar with the results when the Tone at the Top message says "The buck must have gone by when I was busy discussing my stock options with the Compensation Committee".  Just think of BP and the Gulf Coast Oil Spill, or JP Morgan Chase and triple-A-rated mortgage-backed securities that turned out to be junk.

In fairness, according to several recent surveys, CEOs and CFOs are becoming more aware of the linkage between IT Security and corporate risk.  But as PWC's Global State of Information Security Survey for 2014 shows, senior executives are finding it hard to keep themselves, and their companies, ahead of determined cybercriminals armed with increasingly sophisticated tools and methods.

As a result, while Tone at the Top is slowly improving in regard to IT Security, it has a long way to go. Weak Tone at the Top now often takes the form of an enduring intellectual laziness about technology and its risks, and a disconnect between rhetoric and resources. It can show up in a naïve belief that technology without enough dedicated professionals to monitor and respond to it can provide security all by itself.

Weak Tone at the Top can also take the form of a deafening silence from Executive Management about the importance of risk-aware behavior on the part of all employees, including executives themselves. Executive self-exemption from personal responsibility for IT Security is behind some surveys that show over 30% of security breaches being traceable to senior executives. Regular communications from the top down, all reflecting  a consistent message about how to identify and avoid cyberthreats are the exception, not the rule, while "You're all in this together" is what most employees hear.

Finally, weak Tone at the TOP manifests in a failure to tie promotions and bonuses to risk-aware performance by managers as well as subordinates. When executives whose errors of omission or commission lead to security breaches are not held accountable, the message to everyone else is clear: Management talks a good game, but doesn't play one.

If Tone at the Top is to support the increasing demands on IT Security executives and their staffs, Executive Management needs not only to talk about how seriously it takes security, but match its rhetoric with a few simple, diligently-applied principles.

First, recognize that the risk universe is expanding and evolving faster than ever, that today's cyber criminals are more capable than ever, and that they are also more ambitious in their goals than ever. Basing today's security strategy on yesterday's threat landscape is the 21st Century equivalent of Maginot Line thinking. To meet the kinds of threats posed by today's cyber criminals requires imagining what they imagine and creating the kinds of defenses that match their imagination.

By definition, this cannot be done with overworked, shrunken staffs. Cutting security staff and failing to invest in security technology in the name of efficiency usually has the opposite effect. Since the Great Depression, companies that have blindly cut costs have almost always fallen behind in competitiveness to companies that look for – and usually find – real efficiencies in technology-enabled business processes.

Second, hold the most senior person in the organization accountable for major security failures. This is the toughest challenge in improving security-related Tone at the Top. But only when a CEO, a CFO, a COO or even a Chairman of the Board knows that he or she can be fired for a failure of security all the way at the bottom of the organization will EVERYONE know that Executive Management is living up to its own rhetoric.