C-Level Executives Weigh In On Information Security

When it comes to information security, your non-IT execs just might "get it."

Our InformationWeek Analytics survey of 326 business technology professionals suggests that C-level executives not only recognize the importance of information security, but they actively support their IT organizations' efforts to protect corporate assets and reduce risk.

Frankly, we're a bit surprised by these results. We hear rants from IT pros about stingy executives who are ignorant of critical security issues and regard security as an impediment to doing business.

Indeed, conflicts between executives and IT organizations are still common, our follow-up interviews reveal. Moneymaking opportunities that present considerable security risks still go forward over the objections of information security teams. Conversely, security teams don't always appreciate that risk can't be entirely eliminated, or that some security measures go so far as to make information and technology too cumbersome to be useful.

Among the more security-minded executives we interviewed, William McNabb, CEO of investment firm Vanguard Group, sums up his company's information security responsibility this way: "We manage more than a trillion dollars of other people's money. That's important trust they've placed with us, and we have to do everything in our power to protect it." Our senior-level readers agree, as 75% of survey respondents say information security is among the highest of corporate priorities.

We see four reasons for this high level of executive support. First is the rise of high-volume theft of credit card information, Social Security numbers, and other personal data. Such attacks began to make headlines in 2005, when DSW Shoe Warehouse and ChoicePoint were hit. In the DSW case, thieves stole 1.4 million credit card numbers from stores in 25 states. Meanwhile, poor controls at ChoicePoint enabled scam artists posing as legitimate businesses to access consumer records and perpetrate identity theft. Since then, a string of larger information thefts from the likes of the Hannaford Bros. grocery chain, job site Monster.com, retailer TJX, and, most recently, Heartland Payment Systems has put executives on notice: Such breaches can no longer be dismissed as merely isolated incidents.

Second, the high-profile thefts have triggered a number of state breach-disclosure laws, which compel companies to publicize the theft or loss of personally identifiable information. Companies also face industry data-protection standards, the most prominent of which is the Payment Card Industry Data Security Standard, which requires a variety of security measures for businesses that accept and process credit cards.

DIG DEEPER

Feeling Insecure?

Reduce your exposure.

Get our vulnerability management report

>> See all our Reports <<

The third trend changing executives' attitudes about security is the rising cost of information breaches. From lawsuit payouts to fines to the expense of setting up credit-monitoring services for victimized customers, execs can see exactly how much a security failure costs.

U.S. companies paid an average of $202 per exposed record in 2008, up from $197 in 2007, according to a report by the Ponemon Institute, a privacy management researcher. The report also says the average total cost per breach for each company was $6.6 million in 2008, up from $6.3 million in 2007 and $4.7 million in 2006.

The fourth major trend is the damage to a company's brand and reputation. While it's hard to put a price on the loss of customer trust or efforts to repair a brand, no CEO wants to have to try to do that math.

Walk The Line

While CXOs and IT pros agree that security is a priority, a palpable tension still exists among business units and infosec teams. These teams are tasked with protecting customer information and corporate brands, but they also must balance the demands of the business.

"Our company is very risk-accepting," says the senior security analyst at a national retail chain. "If a mission-critical business app will benefit the bottom line but there are security concerns, we aren't going to hold up anything from going into production." Instead, his security team is expected to secure applications after they're deployed. This approach is akin to building a house with a poor foundation and hoping to brace it up later.

In contrast, McNabb says that Vanguard Group gets the security team involved with new applications from the very beginning. "You are dealing with people's identities and money," he says. "You can't go out there and see what works, and then iterate. It has to be bombproof from the get-go."

At the same time, McNabb says, security teams must make a rigorous argument when it comes to risk versus profit. "It's incumbent on the security team to walk through exactly what they don't like about a new app, where the risks are, and what can be done to mitigate them," he says. Once the security team makes its case, the business must make the call on whether those risks are worth taking.

These tensions are apparent in the survey. We asked IT and other business executives if they agree with the following statement: "Our organization properly balances information security and information access." On a scale of 1 to 5, where 5 is "completely agree," business executives were slightly more in agreement, with an average response of 3.7, compared with IT's 3.5.

Our survey responses show that, for the most part, infosec teams are striking a balance between security and access, although a still-common complaint is that they get in the way of commercial opportunities.

"I would be naive to say that people don't regard security as an inhibitor," concurs Craig Shumard, chief information security officer at Cigna, a global health services company. "You have to be able to explain why security is needed, what the risks are."

Of course, security groups share some of the blame for that perception. The CIO of a large county agency says infosec pros do a terrible job of understanding the business impact of their security recommendations. "I don't have the business pushing back on me as I implement security approaches--I push back on the security folks," the CIO says.

It's critical for organizations to ensure that the inconvenience on users is commensurate with the reduction of risk. "And often security people don't get that, or don't know how to do it." the CIO says.

The e-business infrastructure manager at a global bank says that if a new vulnerability is detected or malware breaks out, the security group's first inclination is to shut down all banking servers in North America. "We may say, 'Hold on, can we stagger this and do it in a more organized manner?' We understand their need to avoid issues," the manager says, "but they have to understand our need to maintain availability."

Build A Security Culture

It's clear from our interviews that effective information security programs are made, not born. Here are five building blocks from organizations that have built strong security foundations.

1. Measure progress. Cigna's Shumard relies on two metrics: benchmarks and scorecards. The benchmarks cover 19 security categories, such as networks and applications, each scored on a 10-point scale by an outside auditor. "Ten is safe as you can be," says Shumard. "Five is considered due care, meaning you'd pass most audits."

Cigna's board is briefed annually on the benchmarks, which have been in use for 10 years now. They not only lay out the company's progress (and setbacks) year over year, but also show how Cigna compares with companies of a similar size and complexity. The security team highlights efforts to improve scores where necessary.

2. Train business leaders. Vanguard rotates key businesspeople through the security group for blocks of time. CEO McNabb says the benefits are twofold: The security team stays grounded in the realities of the business; and executives learn more about security, then bring that knowledge back to their units.

McNabb also takes pains to keep himself up to date on security issues. He has quarterly briefings with his infosec team, including detailed discussions on strategy and planning. He even accompanies the security group to the lab to get demonstrations of new technologies being tested or rolled out.

Cigna takes a similar approach by establishing information protection (IP) champions and IP coordinators in each business area. Champions are senior people in major business units who ensure that security issues are addressed at a high level. They're supported by a larger group of IP coordinators, generally lower-level people, such as a manager of a customer call center or an office manager.

The IP coordinators are intimately familiar with day-to-day business operations. In other words, they know how employees get their jobs done and have great visibility into business practices that might present risks.

Shumard says these champions and coordinators provide valuable input into how information protection policies are developed and implemented within their own units. Both groups also may identify potential security issues not covered by policies already in place.

"You can't have a small organization deemed 'security' that would be able to address the needs of a large corporation," Shumard says. "It needs to be embedded and owned by the businesspeople."

3. Engage end users. Whether an infosec program is successful or not depends 30% to 40% on user training and awareness, Shumard says. To put it another way, even with significant care and funding given to security controls and operations, IT still faces a one-in-three chance that an end user will cause a security failure, he says. Shumard relies on those IP coordinators to get the security message across, in team meetings and e-mails or through other means.

The bank e-business infrastructure manager says his organization mandates online training on a variety of issues, including information protection. The sessions are self-paced but tests are given at the end.

4. Assign ownership and accountability. Security messages carry greater weight when they come from the top. "If people get a message from a direct boss, it has more resonance than coming from some third-party security group," Shumard says. It also lets business leaders tailor security technologies and practices to the specific operations--and risks--of their units.

Meantime, the security group is there to support the business units. For example, if a unit contracts with a new vendor that will be handling sensitive data, the security team assesses the vendor and identifies risks and mitigation strategies before a contract is signed.

"We make it clear that the businesses own the risk," says Vanguard's McNabb. "We have groups such as infosec and compliance to help, but we want the businesses highly engaged." Executives also know that screw-ups get reported right to the top. "I see the report, and it's a pretty quick conversation after that," he says.

5. Write the checks. Only 16% of respondents to our survey say their 2009 security budgets will decline compared with 2008. Sixty percent say they'll stay the same, and 24% say they'll increase.

Of course, it doesn't hurt that security lapses have been in the news lately. The security analyst at the retail chain says that in the wake of news reports about the Heartland breach, his team has been asked by the CIO to go back and review the 2009 security budget, to see if there are gaps to be addressed. McNabb says it would be "penny-wise and pound-foolish" to reduce security efforts at this time. "There will be more clever and insidious attacks in this climate," he says. "We have overall budget constraints, but one area off the table is security."

Of course, not every organization has the resources of a company managing a trillion dollars in assets. But lack of funding doesn't preclude organizations from taking the previous four steps.

The retailer security analyst takes a Zen approach to corporate barriers to information protection. "When water flows downs a mountain," he says, "if it runs into an obstacle, it finds a way around it to continue on its course."