Security Accountability: The Fault Line

In fact, it is your job as CSO to analyze the vulnerabilities your organization faces and to suggest ways to best mitigate those risks. Without the guidance of a CSO, truly informed decisions are impossible. But it’s the job of the other executives who own the project to determine how much riskor even which risksthe business wants to take on.

Too often, however, we bet you get caught up in the political infighting of the blame gamewhen IT networks are compromised, top-secret project plans leave the building, or money is lost and the business suffers. That’s because it’s easy to point to the CSO if a project tanks or gets cut off because of a perceived security hole. It’s easy to point to security vulnerabilities in the latest version of a product release or in a freshly inked outsourcing deal when, as a result, your company’s competitor scoops up the potential business.

But truly, how accountable are youor should you bewhen something goes wrong? And for what? In other words, where, exactly, does the buck stop when it comes to making the decisions that involve security?

“Security accountability falls into some ambiguous management space,” says Carl Herberger, director of information security services for SunGard Availability Services.

“Risk and business opportunity are intertwined and must be weighed together,” he adds. “Doing so obligates CSOs to become great communicators, to interpret and discuss the interplay of business objectives, the range of potential threats associated with them and the costs of mitigating those threats. But it falls to the relevant business executive to make an informed call about whether the risks outweigh the accompanying opportunities.”

There’s no getting around it: You will always be responsible for presenting the risk-based facts as you see them. That’s your job. You analyze risk. Dissect it. Know it. Own it. Live it. You study possibilities, you research uncertainty, you ask What if? Then you consult, speculate and study it more. You speak in technical terms. You speak in business terms. You build a report. And then you present your findings.

In the end, however, taking the riskor notalways boils down to one decision, made by one person, who signs his name on the dotted line and says, “Let’s go for it.”

But that person should never be you.

This is the new accountability, and it’s time you got on board.n n nEduardo Dardet recalls the story with ease. In fact, most of the specifics come back to him with little prodding. He was home on a Friday eveningon the last day of Maywhen the phone rang. It was a call from work he hadn’t been expecting.

Dardet’s companyJM Family Enterpriseswas on the verge of signing a multimillion-dollar outsourcing deal with a large software vendor. Involved in these after-hours discussions were a group of business heads from his company and three corporate lawyers. The vendor’s representatives, with their own legal brawn, weren’t agreeing to one of JM Family’s established security clauses, which in turn prompted the vice president of JM Family’s project management office to call Dardet, the director of information security. He wanted to ask him one simple question: Should this be a deal-breaker?

For Dardet and JM Family, the 13th-largest privately held company in the United States and a leader in the automotive distribution industry, the pressure to enlist the vendor’s services was rising. “It was very tense,” Dardet recalls. At midnight, the vendor was going to close its books for the previous quarter, and it wanted to add this lucrative sale to its bottom line. It was also a sweet deal for JM Familythe financial incentives, anyway, made it a no-brainer. Which made Dardet’s job all the harder. “This was not some nice-to-have system. This was a core system,” he says, reflecting on it now, months later. “I thought, Am I really the one who is going to block this thing?”

Dardet, of course, had done his due diligence beforehand. He had followed a rigorous infosecurity approval process, working with the company’s procurement department, its project management office and the company’s in-house and outside lawyers to hammer out the details. To dig deeply into the risks. To figure out potential impact, develop mitigation strategies. Delve into regulatory and compliance matters. Simply put, to do what he gets paid for.

But that phase of the process had passed. So why were they calling him now?

As it happened, the deal was hanging on one infosecurity-related snag. JM Family requires two main infosecurity clauses as a standard part of its contracts. The first relates to a broad protection of confidentiality and integrity of JM Family’s data. The second requires the vendor to notify JM Family of any suspected or known security breach that could in any way affect JM Family’s systems. The vendor seemed to have a change of heart; it wasn’t prepared to comply with the second clause.

Which was a deal-breaker for Dardet. “We were giving them something of valueour information to manage, to support. If somebody stole something from us on the vendor’s systems, we needed to know.”

So that very large contract, with its very large incentives, and one very large unanswered question, hung in the warm Miami night air as Dardet and his colleagues discussed the particulars over the phone. The vendor’s reps waited in a separate room, straining for an answer. And midnight was fast approaching.n n nFor dardet to even play a part in this 11th-hour contract process exemplifies security’s rising prominence in corporate America. It wasn’t that long ago when security didn’t even have a place at the proverbial tableit was more like a seat at the kids’ table. But for whatever reason9/11, computer viruses, workplace shootings, terror alerts, warsecurity has finally been invited to dine with the rest of the adults.

“In the past, [business users] might go ahead with a project without consulting us,” says Craig Granger, who for the past four years has run the multinational security operations for Delphi, a maker of automotive mobile electronics, components and systems technology. “Security is on the top of the list here now, and our peers in corporate come to us.”

While Granger and many other security executives devote a big part of their job to building awareness of security issues, they’ve also realized, ironically, that raising user knowledge allows the CSO to shift a part of the heavy accountability load to business peers, end users and pretty much anyone else working behind the company logo. “In this climate, everybody has a heightened awareness,” Granger says. “Now, more of the security emphasis is on people. It’s their responsibility, not just mine.”

Mary Ann Davidson, CSO at Oracle, also thinks it’s important to share accountability with others in the company. “I don’t want to be the policeman,” she says. “If people think risk is the security person’s job, then I’ve failed.”

How Granger, Davidson and other CSOs raise the corporate security IQ will determine the outcome of today’s culture clash. Part of the battle is fought in the fieldpressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger, for one, speaks at business group meetings and consults with Delphi’s executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and mandates that all new employees take a security course and undergo training.

When Granger first arrived at Delphi, he laid out a charter detailing the specifics and differences between his responsibilities and those of corporate.

Granger says he and his charter were well-received. It defined the global security policy at Delphi. Considerable effort has been spent ever since spreading a “strong infosec policy that’s published everywhere,” Granger says. And not just to users but to executive officers through a high-level governance board. “Here, people can’t say that they aren’t aware of the policy,” he says. “The charter has greatly enhanced our visibility and security awareness here. They know who we are.”

But it’s not solely about getting the word out, he adds. It’s how you speak the word and how it’s received. It comes down to developing trust with your peers. Which lets them, in turn, feel all the more comfortable shouldering some of the accountability burden. n n nThe silent tension for dardet and his colleagues was palpable over the phone lines. This was an important deal for JM Family. But equally important to Dardet was knowing that the second clause was intact.

The JM Family negotiation teamthe business-side executive on the deal, a procurement person, JM Family’s corporate lawyer and two external lawyerswanted more from Dardet. The group played out, over and over again, the ramifications of signing the deal without the second clause in place. They talked about risk and reward. Was this a manageable risk? Was the reward worth it?

On the one hand, the lawyers felt they had sufficient protection even if they didn’t get the second clause from the vendor. Dardet, however, was focused on the other hand. “The deal may have worked legally, but [the protection] was very obscure,” he says. “I don’t care whether it’s legally good or bad. I wanted it clear.”

Dardet said his part one last time. Specifically, he was less worried about the legalese of the whole affair and more concerned with living with this dealtaking care of the day-to-day security mattersafter midnight came and went. “They all knew my position,” he says. “They knew what I was asking for.”

Still, JM Family seemed to be waffling, while the vendor’s representatives were standing firm.n n nAt Nortel Networks, Timothy Williams, vice president of corporate security and systems for the network communications provider, tends to lean on relationships and solid security processes when he talks about accountability. “The key to accountability is process management,” Williams says. “Security is no different than any other process or function, and how we handle business events develops credibility.”

Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Along with raising awareness, process management can reinforce the expectations that the security department has for everyone. “Fundamentally, security is a process. That means that it is not a tool; it’s not a piece of hardware or software,” says SunGard’s Herberger. “It is about your risk tolerance. About your company’s culture. And there’s no way that it can be solely with one staff function.”

At Nortel, Williams tries to involve as many different functions in his security process as possible. He works with members from various cross-functional groupswith internal audit and the insurance group, for example. Deeper within his security process, you’ll find three core elements: risk assessment, enterprisewide collaboration and strategic planning. Williams staffs his department with people who come from a variety of different areassystems security engineers, of course, and global thinkers, a leadership team with MBAs, and subject-matter experts who can “cut across security and think in terms of the whole organization,” he says. As part of the process, he and his team continually assess and reassess all of their client groups’ needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. “I own the process,” Williams says confidently. “There are a number of processes here that have my team’s signature on them.” But, he and other CSOs add, all of the security processes should have everyone else’sincluding the business execs’signatures on them as well.

If and when it’s needed, Williams also has a process that takes care of follow-up and investigationwhen something goes wrong and fingers start to point. Though Williams won’t discuss the specifics of anything that actually has gone wrong at Nortel, he’ll use the example of a breached network to describe what he would do. If something happens, he says, he and his team members will go back, review the situation and ask, What did we miss? Should we have better prepared? Then he’ll go back to his strategy and reassess that. “For security events that do occur, you have to review them carefully and quickly,” he says. “If it was wrong in the way that it was handled, then that’s my responsibility.” He also gets out and solicits feedback about crises from all levels of the organization. He talks about security events and presents findings to senior leadershipthereby raising awareness and promoting his processes at the same time.

He says, above all, that his business peers at Nortel want his group to maintain value and independence in everything that it does and to protect the drivers of the business. Simply stated, Williams says CSOs need to “do strategyand executionwell.” Which is no small task.n n nA classic case of risk versus reward was staring down at Dardet and his business and legal colleagues.

Just after midnight, the final decision was made by the business head, Stephen Donaghy, the vice president of the project management office, to go forward with the contract. Ultimately, he and the three lawyers felt that other general provisions in the contract, which required the vendor to adhere to JM Family’s security policies and notify JM Family if a breach actually did occur, were enough of a safeguard against future problems.

In retrospect, Dardet speaks confidently about the conversations they had that night. He’s pleased that his business peers were debating infosecurity concerns with him before a final decision was made.

Although Dardet is comfortable with the decision, he’s quick to classify this drama as a “very special case due to the financials associated with it.” In the end, the risk/reward equation ended in a “Let’s go for it.” And though he played a serious role in the negotiations, Eduardo Dardet did not make the final call. And that’s fine with him. n n nAs much as accountability has to do with awareness and process, it also has as much to do with relationships. That means that CSOs cannot simply hole up in the security department and send out e-mail policy reminders from time to time. CSOs need to put a face on the security department. Their face. And if they can build trust and credibility with their peers, other executives will feel that much more comfortable signing their names on the dotted line.

But most CSOs will advise you to get to know the business and to show your business peers that you think business first, security second. “CSOs have to be an enabler rather than an obstructionist,” says William Besse, who’s in charge of the physical security for Belo, a large media company with businesses in print, broadcast and interactive media. “CSOs can mandate what to do, but they’ll leave [the security function] out of the process if you don’t understand their business problems.”

Dardet agrees. “We have to give them something that they can make a judgment about,” he says. But he stresses that you have to be clear about the business specificsto know exactly how the security issues relate to the businesspeople and their decisions. “If you don’t have that, the business head will say, ‘Well, do you think, or do you know?'” he says. And a CSO should always know.

Besse is a huge believer in getting to know all facets of the business side. He says he takes on a more consultative role, although he acknowledges that the decision-making part of the accountability equation rests most definitely with the business function head. “At the end of the day, the business manager is the one to make a decision, and he has to have the ability to make those calls,” Besse says. That ability comes from CSOs getting on the business executives’ agenda to show them how security can help them. “Business units are different from each other, so you have to work with each one,” he says. “The people there will eventually begin to understand how security can help them.”

When it comes to actually working with your business colleagues, Delphi’s Granger cautions that CSOs should not get too technical with their executive brethren, or bog them down in what he calls the nitty-gritty of security. “You need to keep it at a high level,” he says. “You have to keep your eyeand theirson the big picture.”

Though it’s clear that most CSOs would rather not speak of tales of security-gone-horribly-wrong, they’re quite capable of talking about what they would do if fingers start pointing and name-calling commenced. They consistently use phrases like “follow-up meetings,” “after-the-fact strategy sessions,” “future mitigation steps.”

But blame? No. These CSOs take the high road when it comes to accountabilityin their brief rise in prominence, they have learned well. “Security is a silent partner. There’s not a great deal of bravado,” says Nortel’s Williams. “We’re not here to affix the blame but to fix the process.”