Managing Reputation

By Martin Carmichael, McAfee

Chief security officers and chief information officers are already caught in a delicate balancing act between the business and the IT department. There are the pressures of assessments, mitigation and the ever-increasing risk that a major security incident could overshadow an entire career. Traditionally, since there hasn’t been a way to quantify security risks, decisions have been based on the opinion and personal reputation of the security professionals involved. Accordingly, involvement in a major breach can jeopardize that reputation.

What should CSOs be doing to safeguard against the personal and professional risks they face in the Internet age? In the ongoing chess game against malware and hackers, what strategies should they adopt to ensure they are not personally caught in checkmate? How does a CSO define quantitative risks to security and what is the magic behind quantification?

New forms of computer threats are emerging at a faster rate than ever before. These threats have stirred attention at the highest level among worldwide regulators, industry bodies and heads of global corporations. According to Gartner, regulation will remain the greatest driver for proactive spending on information security and risk controls through 2010, and businesses plan to increase security budgets by another 4.5 percent over the next year. According to IDC, the worldwide security compliance and control market is forecasted to grow to $14.92 billion in 2010.

The consequences of flawed IT systems have been seen several times in courts of law and been subject to the judgement of investors. Take the case of Coleman (Parent) Holdings against banking giant Morgan Stanley in 2005. During the trial, it emerged that Morgan Stanley had overwritten e-mails and been careless in its data storage. Unable to respond to the court’s requests for a clear view of its IT system and processes, Morgan Stanley was forced to pay out millions of dollars in restitution.

Impacting Corporate Reputation

A chronology of data breaches available on the Privacy Rights Clearinghouse website reveals that in 2005, one breach was made public every third day, on average, but by the middle of 2006, reports of breaches numbered up to ten per week. To date, almost 94 million records containing sensitive personal information have been involved in security breaches.

Data breaches that hurt the most are the ones that impact shareholder value. In banking, for example, loss of customers has been directly linked to security breaches. A 2006 study by the Ponemon Institute showed that 34 percent of customers would change their bank after one breach, and 45 percent would leave after two breaches.

Mismanagement of IT security can have serious implications for an organization’s reputation. Various studies have mapped the financial value of brands, and while they differ in absolute terms, these studies have all shown the relative risk of stolen customer information, or becoming unknowingly embroiled in illegal online activity, to be significant. The “punishment” handed down by customers and clients on companies that are perceived to be less secure adds to this risk. Systems may only go down for a few hours, but if customers start to ask whether their details have been lost, or partners fear that commercial secrets could have been leaked, then relationships and contracts can collapse.

In 2006 it was reported that U.S.-based CardSystems, a payment processing organization, failed to secure customer and financial information, resulting in millions of dollars in fraudulent purchases while banks were forced to cancel and re-issue thousands of credit cards. On top of this, consumers experienced serious inconvenience and financial uncertainty, as reported by the Federal Trade Commission (FTC). The damage to CardSystems’ reputation was such that it was soon forced out of business; major customers, including Visa, refused to do further business with the company.

Personal Risk

All of this evidence points to the fact that there is a significant danger to the reputation of the business. But what about the personal risk to CSOs themselves, the people seen to be accountable for IT integrity? It is true that there are CSOs who have “moved on” after major incidents. Even loose association with a significant security breach, however, can have a severe impact on future career prospects.

In some European countries, CSO bonuses are directly linked to the integrity of the computer environment they manage. For example, as the corporate network becomes increasingly vulnerable to new threats, their pay packet may go down. If the status of CSO is a result of the rise of the IT director up the corporate ladder, then it is also the case that with greater corporate responsibility comes greater career risks.

The CSO’s Challenge

In some ways the publicity that IT security generates can be to the CSO’s advantage. News of high-profile computer threats can raise awareness at the board level and may even govern larger, or incremental, IT security budgets. It often appears to be a general rule that while falling foul of a computer threat can be excusable, it is inexcusable to fail to secure against the vulnerability a second time.

Demonstrating responsibility is therefore key to minimizing the damage to a CSO’s reputation, and can be the difference between keeping a job and losing it. An example is that of one anonymous CSO, who experienced that when his corporate network faulted for days. It took weeks, but investigations proved that the problems could not have been foreseen and that reasonable security measures were proportionate to the potential threats. That CSO’s reputation therefore remained intact.

On the other hand, there are examples of senior IT managers who have asked management or the board for an IT investment, then, having been told that they were asking too much, still lost their jobs when the company was hit.

Their fault was double layered: first, failing to demonstrate why the business needed the investment to start with; second, failing to show that they had done everything they reasonably could after the crisis. Again, when defending actions and protecting your reputation, it is evidence that counts. Think of security as a sprinkler system. In the early 1880s, sprinkler systems were advertised using fear: “You’re going to die in a fire if you don’t install one of these.” It didn’t take long for the industry to wise up, learning that advertising them as protection against financial losses was a much more compelling argument. Within a few years, new buildings were being fitted with sprinkler systems.

Business Language

IT security today is as critical an issue as it was when the Internet was born, perhaps even more so. The reality that most CSOs face is that when they speak of SQL Slammers or spyware to some managers and executives, they may as well be speaking the lost language of the Incas. Business executives will not only fail to understand, but will ask what difference IT security makes to the bottom line. After all, this is the standard against which all other reports delivered to the board are measured. Thus, the CSO must present the evidence that security excellence is being pursued in the language of business risk. The CSO must gain a reputation for being an effective translator of IT dangers and precautions.

What this means is being able to demonstrate to the board how risks to the business’ most critical systems and assets can be mitigated in the most cost-effective way. After all, no business has the resources to provide 100 percent protection to all areas of its organization. The critical assets need to be identified, the risks to these assets understood, and then the processes put in place to prioritize resources to protect these assets and notify the board of this.

What’s more, regulatory compliance requirements must be obeyed. If not, members of the board may end up in jail. If the CSO can demonstrate to executives that their business is compliant, then he will go a long way in terms of maintaining his reputation and justifying IT expenditure.

Savvy CSO-ing

Attacks on IT systems are a fact and will remain a fact of IT. They are inherent risks that any modern organization faces in the course of operations. However, like the risks that stem from operating in any market, they can be understood and acted upon. This is the message that savvy CSOs are conveying to their colleagues and board members. They build their reputation within the business and protect it against unwelcome events by exercising a portfolio of skills. They must understand the nature and extent of the risks themselves, devise ways of communicating those risks to others, gather demonstrable evidence that risks are being met, and manage the contingencies that are necessary as and when breaches occur.

The prominent position of the modern CSO is a measure of the importance and the success of IT in business. With success comes responsibilities, of course. If the buck stops with the CSOand it doesthen there is no need to panic over those responsibilities. Flawed security does cost, and may cost dearly. But thanks to advances in security technology, it is possible to provide a baseline for security. No longer do security decisions need to be made strictly on the reputation of the professional involved, and there are fewer reasons why those attacks should leave the reputation of the CSO vulnerable..