Security and Corporate Governance

A corporation is like the solar system. The Sun consists of the Boardroom, the CEO, the CFO and probably the general counsel.

The first thing you’ll note about the Sun is that it’s a big ball of gas. (Sorry, irresistible.)

The second thing you’ll notice is all the planets revolving around the Sun. Information technology is a planet. Human resources too, and operations and others. Security is one of these planets as well.

I may have dozed through my droning college astronomy lectures but I faintly recall something about apogees and perigees—suffice to say that, periodically, certain planets move closer to the Sun, while others move farther away. The closer a function is to the Sun, the better its status and influence in the company.

In the late ’90s, galactic forces called e-business and e-commerce drew Planet IT’s orbit nearer the Sun. IT basked in the tropical climes. (They got a lot of money and they reported at every Board meeting.) But there’s a fine line between getting a nice tan and getting toasted. After the dotcom market bubble burst (and after CEOs concluded their Y2K spending was money down the drain), CIOs got toasted. And Planet IT was banished to do some time in an outer orbit.

After 9/11, CEOs in the United States decided that, hey, this risk management stuff really is important. But some security leaders, perhaps having witnessed the hazardous warming of Planet IT, would prefer it if Planet Security remained a safe, cool distance from the Sun, thanks very much. Even if the Boardroom seems to be extending a chummy invitation to parley about risk, these CSOs and CISOs seem to sense that the closer the orbit, the worse the ending. So they keep their heads down.

The most irksome thing about such CSOs is that they won’t return phone calls from the press, a.k.a. me! (The nerve!) But there’s more to it than that. Some security heads say they have nothing to report to the Board, that security value can’t be measured and that risk mitigation procedures and statistics are meant to be kept secret. That the disclosure of a breach is more to be feared than the breach itself. That a risk management department is just a security group that’s gotten too big for its britches. So these CSOs are happy to keep their basement offices and to keep their doings safely out of sight of the Boardroom.

I’ll concede that the Sun may yet decide to burn Planet Security. The inner circle of control is guarded most jealously—they’d generally prefer to handle the decision making themselves. If a risk management backlash happens, it will start with this (rhetorical) question from the Boardroom: “All this money we spent on risk management—what did we get for it?” This is how the question was phrased about IT in 2000 and 2001. After that question echoes for a bit, the CSO will get cooked and Planet Security will be flicked by a cosmic thumb back to the outer ring. With a reduced budget and a spot at the bottom of the org chart. Demoted like Pluto, our newly crowned Dwarf Planet.

Maybe. But still I’d rather hang with the CSOs who aspire to more influence and more visibility—something more than the dusty cold of space.