Driving Change in Corporate Information Security

by Hans Brechbühl and Scott Dynes

Information security today is much like quality was twenty years ago: bolted-on, not built-in, viewed as an inhibitor of operations, and residing in a special department. If information security efforts are to be successful at a corporate (and national) level, this must change. This was one of the key conclusions reached at a working summit of corporate executives hosted at the Tuck School of Business at Dartmouth.

It was quite clear that within most participants organizations there is a prevailing view that information security is something that information technology (IT) “does.” For everyone else in the organization, information security just “happens” to them their involvement is passive. This feeling is found at all levels in the corporation today, from the boardroom on down. It is only within the core IT function of the company that information security seems to be integrated into the daily work routine.

The phenomenon is similar with customers. Ken Rathgeber, EVP and Head of Risk Oversight for Fidelity M&R, described customers’ attitudes towards information security: …I think the general consumer out there believes that they are protected from [security incidents such as identity theft] and we will assume the responsibility and the liability of making them whole. As Hillary Gal, of Citigroup, made clear: &customers have to understand they have to take some responsibility. Customers do not have a good understanding that what they do matters in terms of security. Rathgeber related how Fidelity will begin informing clients that if they havent installed a certain level of Web browser on their computers, they won’t get access to Fidelitys secure website.

Educational and cultural change efforts were identified as important themes in driving information security responsibility throughout the organization. Though board and customer education were seen as important, most of the education and awareness efforts discussed were directed towards corporate employees and extended enterprise partners. One important component encompassed developing skills and capabilities and establishing a more rigorous, coordinated approach to information security. Other elements focused on building awareness of individual and collective responsibilities, getting people to move from observing information security in a passive role to addressing it as an active player on the corporate information security team with an understanding of their role. A developing best practice is to tie information security to some aspect of corporate culture that is already well understood.

The educational challenges are not likely to go away quickly. One of the reasons is that the younger generations have very different attitudes towards computing ubiquity and such aspects of information security as password sharing and file swapping. Efforts are now being made to address this through ethics and security discussions in educational institutions.

Firms are becoming increasingly dependent on the Internet for managing their supply chains and other business relationships in the extended enterprise. Case studies carried out as part of a recent research effort show that, not surprisingly, U.S. manufacturing corporations of all sizes are using the Internet for supply chain management. Of the firms researched, none was paying much attention to the risk faced by using the Internet to integrate the supply chain. Anecdotal evidence strongly suggests that other business sectors such as the financial sector are both more dependent on the Internet and are paying a lot of attention to such risk. This will increasingly need to be addressed across the board.

Other key messages that came out of the summit and recent research by the Center for Digital Strategies at Tuck are:

• Risks and security must be balanced. Seeing the big picture helps organizations understand the diverse security threats and how to manage them. Information security is not a local phenomenon, and one needs to take a broad view of costs you face with regards to it.
• Regulation is a somewhat blunt instrument. Government regulations often dont address core information security issues, and their interpretation and implementation varies widely. Sarbanes-Oxley is a great example of this.
• Information security is impacting the extended enterprise. The extended enterprise (i.e., collaboration with value chain partners) is being impacted by information security (and privacy) concerns.
• When evaluating risk, think in terms of business continuity. It might make more sense to manage the outcomes than to manage the threats, since threats and probabilities are largely unknown.
• Security is good for business, but is not often a competitive advantage. The jury is out on whether better security can become a true source of competitive advantagefor most its likely just a qualifier.

For more information about the findings from this summit, please visit www.tuck.dartmouth.edu/tlsummit.