- Dr. Peter Courtney, BOHH Labs Director
Today security threats seem to be inescapable, with companies dodging attacks on an hourly basis and breaches being revealed daily. As such, the practices, technologies and management of security threats have seen a dramatic shift over the past couple of decades, especially in how breaches are accounted for and who takes ownership when things go wrong.
Before we can address where we are today, we first must look at the past and where we’ve come from. In the past, security flaws in a company amounted to losing a ledger-book, a cash box or a roller-deck. While the competitor might steal some customers if they obtained your roller-deck, the impact was modest compared to having an electronic customer file stolen, that might then be sold on, mined automatically or even put up on public display to embarrass the company, as is happening today. Additionally, the complexity of IT errors was much simpler in the past. For example, IT errors might have involved a functional code bug that only caused a problem under rare circumstances. In these instances, the impact on the company was relatively low, typically affecting a specific area of the company. It was relatively easy to identify the culprit and move forward with a solution. Security breaches were dealt with in a similar manner to a project failing, the CEO would identify the accountable executive and either censure, discipline or fire them depending on the severity of the issue. Typically, the executive to blame was either the CIO or CSO, as security was their focus area and it was clear that they carried the accountability.
Today, more often than not, IT errors are deliberate attacks that target systems such as payments or CRM, they can invade the core processes of the company and may broadcast sensitive customer information to the public web. Unlike in the past, this means that the impact can stretch across the entire company, not just the area that is initially targeted. The company can be damaged internally and potentially cause reputational and financial damage in the public domain. Because of this, the impact of the breach spreads across the company and accountability flows far beyond the IT/security department. It may be judged that the CFO, CSO, COO or even CEO should have exerted greater control over the company, its processes and its decisions. Today, it is much more difficult to clearly assign blame. Unlike in the past, the perpetrators of the breach may never be identified or the case proven with any hard evidence, making it difficult to hold any single person accountable. In addition many of the suppliers of systems and security are now external rather than having been developed in-house as was the norm. Indeed, the external party may have been selected by a Board decision rather than simply the CIO or CSO, making it even more difficult to assign individual accountability.
Because the nature of security threats are becoming more complex and the impact a breach can have on the company is more widespread, the risk that accountability may not be contained to an expendable CIO or CSO is making security a priority for the whole executive and even non-executive Boards. We are seeing more executives politically positioning themselves both in demanding scrutiny on security decisions in advance of them being made and also in positioning accountability away from themselves where that is possible.
The current IT world has been unable to prevent breaches from occurring and many institutions simply consider it a cost of doing business. As we are seeing, if the threat is inescapable, then so too is the blame. We now see companies spending huge sums on technology solutions that may not work but enable the company to say that they followed the process and did what they were supposed to do, so they should not be penalized. For now, companies are simply skirting around the accountability game when it comes to breaches, but if we are to move forward as an industry overall, we must come up with a better way. Surely it is time to find security solutions that actually fix the risks and solve the problems rather than waste political energy and money on avoiding blame when the inevitable breach occurs.
No comments:
Post a Comment