So it, all too often, with data security. Everyone assumes it's IT's problem. But then the IT folks explain how they've been fighting a rear-guard action for the past decade as operating units demand more and more autonomy over their own technology needs. And dont get them started about employees who want to use their personal iPhone or bring their tablet from home. When it comes to senior executives, the folks on that floor, there isn't a peep. Because research has already demonstrated that across the economy, they are invariably the greatest abusers of security protocols - all in the interest of their oh-so-valuable time.
The issue is really one of organizational design as much as of security. Organizations have imported incredible power and knowledge as well as the devices to make them hum. Integration, convergence and coordination are the watchwords of the day. But when someone drags out the org chart, not much has changed. The reality is that everyone wants increased access, authority and intellectual firepower, but no one wants to shed one penny of budget on taking care of it.
The reality is that when everyone is responsible, no one is responsible. Enterprises avoid the difficult discussion about the changes that technology has wrought because they know it leads to disruption: pay, promotion, management, leadership and even job security are on the line. But unless institutions confront the changes that data and technology have presented them with, the positive impact they can have will be less than optimal. JL
Joel Brenner reports in Harvard Business Review:
Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?
To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.
So I walk down the hall and knock on the general counsel's door. Cyber security my problem? he says. No, no, he laughs; I write the contracts that lay off the liability for cyber security on our contractors. And insofar as some of that liability stays here, it's a technical problem.
Who's left? I walk down the hall and visit the HR director, who is trying hard to conceal her opinion that, for asking her whether she has any responsibility for any kind of security, I must be the stupidest guy on Earth. Nevertheless I persist. You control the HR manual, don't you? She does. And the manual contains lots of access rules, doesn't it? She concedes the point. And weren't you the chief opponent of the CISO's plan to require a click-through log-on banner stating that information on the company's IT system belongs to the company and can be monitored? Suddenly she remembers her next appointment.
Try the experiment in your company. If you get answers like this, it means that nobody in your company is responsible for information security. The truth is, unless all these people understand they own a piece of the problem and can be brought to deal with it together, you cannot manage information security.
Verizon's newest data breach investigations report for 2013 tells us — yet again — that cyber security depends on people as much as technology. Breaches are nearly always caused by multiple factors, and people are nearly always one of them. In this latest report, based on a larger-than-ever sample, 29% of breaches involved social tactics like getting employees to click on fake emails (phishing). And gullible employees aren't the only problem. Year after year Verizon has been reporting that most intrusions — 78% this year — are "low difficulty" and could have been prevented by simple or mid-level security measures. Failure to implement patches for weeks and months on end is a common problem. This is a management failure, not a technological problem.
When intruders get in to corporate systems, they tend to stay in. We still see smash-and-grab hacks, mostly after personal information, but they are becoming less common, especially when the goal is stealing corporate information. Most breaches take time to discover — usually months rather than weeks, and sometimes longer. In a major release early this year, the forensic firm Mandiant reported solid massive Chinese hacking of private sector clients — and showed that the median period of the intrusion was nearly a year. Often such breaches are discovered only by third parties — like the FBI or the media. Not a pleasant experience.
So why do so many companies treat cyber security as merely a technical problem that can be pushed down into the IT department?
Cyber security involves legal issues, human resources practices and policies, operational configurations, and technical expertise. But while each of these silo chieftains — the general counsel, the HR director, the chief operations officer, and the IT director — owns a piece of the problem, some of them don't know it, and none of them owns the whole thing. This makes information security a risk management and governance challenge, because unless these people attack the challenge together under a C-suite mandate, it can't be managed effectively. Unfortunately this rarely happens.
Information security cannot involve not locking down information that must move quickly. It does involve figuring out where information must move, and where it must not move. And above all, it means making rules that don't stifle creativity in the business. Protecting critical information protects corporate value and is a core responsibility of the board and executive management. Best-in class companies view information security as a value proposition — not merely as a deduction from the bottom line.
0 comments:
Post a Comment