Boards of financial services corporations appear to exist in a bubble that isolates them from most of the types of information security and infrastructure & operations risk management issues that fill most of our days. I admit, I am not even an intermittent member of that club, and that I have not figured out the relevant dimensions or characteristics of the Board bubble. As a result, it just confounds me. Information from my board is conveyed via direct questions that get passed my way, and via hints and statements in our standard SEC filings. Sure, boards of all major financial services corporations have a broad suite of issues they must understand and influence. It does not seem that many hold information security and infrastructure & operations risk management in their set of top priority considerations. Given the regular drum beat of data loss in the news, this is not a healthy signal for our industry. I have worked with executives in financial services for years. Senior executives seem to consistently service their boards.
So, what motivates our C-level executive investments in security? Generally, it seems like it is the existence of legal and regulatory mandates. Information Week reported that in a recent Information Week Analytics survey of 326 IT professionals, their“data points strongly to a single source: regulations. Industry and government compliance mandates are cited as the top influence on information security programs.”
If compliance — with the law, governmental or industry regulations, or even customer and partner contracts — is the only goal, we are sunk. Depending on which of the major financial services corporations you work for, we are tasked with protecting anywhere from hundreds of billions to trillions of dollars worth of other people’s money, while attempting to:
- interconnect almost everything,
- connect all that to the Internet,
- make all types of interactions easier for the end users.
In business, technology infrastructure & operations, and software environments as dynamic and complex as are found in all large financial services corporations, it seems relatively easy to understand that we begin every day at seriously-elevated risk. Law and rule-making processes in United States are messy — generally rich in compromise, sometimes transparently corrupt, and often strongly influenced by the industries being targeted with controls. As a result, compliance is usually not a high bar. It may not, and in my experience, is usually not a close relative to risk-appropriate information security.
We need to do a better job communicating with senior leaders. Our infrastructures incorporate and expose real vulnerabilities. There are real and relevant threats. And we owe more to our customers, partners, employees, and shareholders than the cheapest and easiest route to technical compliance. Checking some boxes, printing reports, and passing a contract compliance assessor’s review must not be the only corporate security goal.
We are living through a global financial decline of still-unknown proportions. It was caused in part by too many people, especially, but not exclusively, at the top of our financial services corporations, choosing to set grossly-inappropriate goals. We all know that the scope and breadth of criminal, and national-centric, activity focused on critical Internet-connected infrastructure is expanding every week. I believe that treating information security and technology infrastructure & operations risk management as a compliance exercise will lead to a similarly dark downturn — and I believe will result in the end of some more of our financial services peers.
What do you think?
— References —
Information Week Analytics Survey Summary: http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=213901162
Full report “A Unified Front: Exploring What Executives Really Think Of Security.” https://i.cmpnet.com/custom/cxoreport/assets/InformationWeek-Analytics-Dark-Reading-CEOs-And-Security.pdf . You might want to link from the article above and fill out the form so that they earn enough money to keep doing these surveys.