• United States



by David H. Holtzman

Ethics: Who’s Responsible for Being Responsible?

Sep 04, 20023 mins
CSO and CISOCybercrimeIT Leadership

Our law, ethics and privacy columnist weighs in on taking security responsibility to the top of the corporate ladder.

I have to confess to a fascination for corporate roadkill. I love reading lurid details of insider naughtiness. Between, Enron, Andersen and whatever is currently ripening under the treads of WorldCom, the past six months have kept me supplied with reading material for a long time to come. But for any director of a public company, these stories should serve as a chilling wake-up call as to how much sensitive information is sitting on corporate networks waiting to be found.

The privacy problem cuts two ways here. The same data handling sloppiness that infuriates customers and causes unfavorable publicity leaves a trail of digital spoor behind management activities that even Inspector Clousseau could follow.

Don’t get me wrong, I do not advocate that you whitewash illegal activities; I’m just wondering why the heck this stuff is sitting around for someone to read. I suspect the reason is that no one with any real authority understands the kind of data his company keeps or what the exposure might be if it gets out. And the people who do understand are not empowered to do anything about it.

Every company has sensitive information; perfectly legal decisions can create havoc if discovered in a civil suit or exposed to a competitor. But, just who is responsible for being responsible?

The technical answer, of course, is that the board of directors is ultimately and legally responsible for the actions of the company. But how does the board know that the company is facing this kind of exposure from operational issues?

Someone has to tell them, and this is the most valuable function of the CSO. Unfortunately, many corporate security czars are too low on the organizational totem pole to effectively interact with the board, and oblique reporting structures often blunt and filter those messages before they reach the boardor even suppress them outright. Here’s how it goes:

If the CIO runs security CIO bosses prioritize around uptime numbers and bragging rights for tight-as-a-drum networks. To them, security is binaryit is secure or it isn’t. This mind-set can cause CIOs to delay reporting potential problems upward.

If the COO runs security COOs are concerned about customer issues (read: sales). They will frequently manage security activity using existing customer relationship management, or CRM, systems. Instead of protecting the company’s larger goals, the focus is on closing individual trouble tickets.

If the CFO runs security CFOs frequently believe that the best way to grow a company is to cut costs. Guess what happens when CFOs get their hands on a security organization. They evaluate security budgetary issues by scrutinizing every preventative capital expenditure or head count increase.

The bottom line is that CSOs must have unfettered access to the board. That is the only way directors can be certain the company is run honestly. Public companies have audit committees at the board level to scrutinize financial activity. Why not use a similar concept for security issues?

The health of a corporation is more dependent on thorough and knowledgeable preventative measures than on stopping sudden hemorrhaging from a public relations laceration. Firing the guilty is poor compensation to investors for an eroded market cap that may never return. Just ask investors in Merrill Lynch or Martha Stewart.

Shareholders must hold directors completely accountable for what happens in the companythat’s what directors are for. Directors must understand their security and ethical exposurethat’s what CSOs are for.