What Motivates C-Level Executive Investments in Security?

Boards of financial services corporations appear to exist in a bubble that isolates them from most of the types of information security and infrastructure & operations risk management issues that fill most of our days.  I admit, I am not even an intermittent member of that club, and that I have not figured out the relevant dimensions or characteristics of the Board bubble.  As a result, it just confounds me.  Information from my board is conveyed via direct questions that get passed my way, and via hints and statements in our standard SEC filings.  Sure, boards of all major financial services corporations have a broad suite of issues they must understand and influence.  It does not seem that many hold information security and infrastructure & operations risk management in their set of top priority considerations.  Given the regular drum beat of data loss in the news, this is not a healthy signal for our industry.  I have worked with executives in financial services for years.  Senior executives seem to consistently service their boards.

So, what motivates our C-level executive investments in security?  Generally, it seems like it is the existence of legal and regulatory mandates.  Information Week reported that in a recent Information Week Analytics survey of 326 IT professionals, their

“data points strongly to a single source: regulations.  Industry and government compliance mandates are cited as the top influence on information security programs.”

If compliance — with the law, governmental or industry regulations, or even customer and partner contracts — is the only goal, we are sunk.  Depending on which of the major financial services corporations you work for, we are tasked with protecting anywhere from hundreds of billions to trillions of dollars worth of other people’s money, while attempting to:

  • interconnect almost everything,
  • connect all that to the Internet,
  • make all types of interactions easier for the end users.

In business, technology infrastructure & operations, and software environments as dynamic and complex as are found in all large financial services corporations, it seems relatively easy to understand that we begin every day at seriously-elevated risk.  Law and rule-making processes in United States are messy — generally rich in compromise, sometimes transparently corrupt, and often strongly influenced by the industries being targeted with controls.  As a result, compliance is usually not a high bar.  It may not, and in my experience, is usually not a close relative to risk-appropriate information security.

We need to do a better job communicating with senior leaders.  Our infrastructures incorporate and expose real vulnerabilities.  There are real and relevant threats.  And we owe more to our customers, partners, employees, and shareholders than the cheapest and easiest route to technical compliance.  Checking some boxes, printing reports, and passing a contract compliance assessor’s review must not be the only corporate security goal.

We are living through a global financial decline of still-unknown proportions.  It was caused in part by too many people, especially, but not exclusively, at the top of our financial services corporations, choosing to set grossly-inappropriate goals.  We all know that the scope and breadth of criminal, and national-centric, activity focused on critical Internet-connected infrastructure is expanding every week.  I believe that treating information security and technology infrastructure & operations risk management as a compliance exercise will lead to a similarly dark downturn — and I believe will result in the end of some more of our financial services peers.

What do you think?

— References —

DatalossDB: http://datalossdb.org/statistics

Information Week Analytics Survey Summary: http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=213901162

Full report “A Unified Front: Exploring What Executives Really Think Of Security.” https://i.cmpnet.com/custom/cxoreport/assets/InformationWeek-Analytics-Dark-Reading-CEOs-And-Security.pdf .  You might want to link from the article above and fill out the form so that they earn enough money to keep doing these surveys.


3 Responses to What Motivates C-Level Executive Investments in Security?

  1. […] What Motivates C-Level Executive Investments in Security – Completosec […]

  2. Jeremy Bergsman says:

    Instead of thinking about C-level executives as living an impenetrable bubble, it is probably worth some time to figure out their behavior. In turn, this may give a better perspective on whether it is right or wrong, and–if wrong–better insight into how to change it.

    As you say, C-level executives and BoDs have a lot of concerns, and security is not a big one. What you don’t say is that, given the size of the various risks mosts companies face this would seem very appropriate. Major companies are going bankrupt left and right, but not as a result of the drum beat of data loss events. A car company bets a few billion dollars on a new car platform. Oil companies bet more than this on developing new oil fields. Currency shifts can cost a company more in a week than the largest information incident that has ever happened. Why should they care about security?

    While a compliance mindset is not the best way to achieve security, regulations are your friend as a security advocate, because they raise the cost of breaches/poor security to the point where these folks start to care.

    So, I would argue that they right not to care (much).

    Another point is that it is not clear we should be doing more to increase security (even under the radar of the BoD). I make the point more fully here: http://irec.wordpress.com/2009/06/10/do-we-spend-too-much-to-protect-information/ , but in short it is hard to imagine a scenario where increased spending on security would return a larger dollar value of reduced risk. So, instead of going to the BoD and asking for money, we should be working to make sure we are targetting the biggest risks with the highest ROI mitigation approaches.

  3. […] hold “compliance” as their prime (sometimes, only) risk management driver.   Sure, that is tiring and sometimes disheartening, but they are not going away…  In the course of your efforts to advance effective […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: