Time to Address Basic Organizational Issues that Impact IT Security

In the past, cybersecurity was thought of as an IT problem where CISOs were given meager budgets and told to handle IT security with basic technical safeguards and a small staff of security administrators.  Fast forward to 2014 and things have certainly changed now that business mucky-mucks read about data breaches in the Wall Street Journal on a daily basis. 

CEOs and corporate boards are now struggling to understand cyber risk and gain greater oversight of infosec strategies.  They are also willingly increasing IT security budgets.  According to ESG research, 62% of organizations planned to increase information security spending in 2014 and it’s likely that even more will do so next year (note: I am an ESG employee).

Yup, infosec is in play at enterprise organizations and many actions are certainly steps in the right direction, but if we are truly going to get serious about cybersecurity, we have to address a few other systemic problems that no one seems to talk about.  Just what am I referring to?  Here are a few age-old organizational and culture problems that impact on cybersecurity at many enterprises:

1. Insecure IT procurement.  Every piece of equipment coming through the door represents a potential threat vector, so purchasing managers should fully vet hardware suppliers, ISVs, distributors, and VARS.  Few companies actually do this however, and those that do often send out a paper-based form for vendors to fill out but never do the hard work of actually auditing their suppliers.  As a result, companies are purchasing and installing insecure IT assets. CEOs should step in here since this is the IT equivalent of hiring key executives without background or reference checks. 
2. The disconnect between security and IT operations.  The security team is paid to identify vulnerable systems but often relies on IT operations to actually remediate these issues.  All well and good but it’s not unusual for the IT ops team to dismiss or at least deprioritize security fixes as they pursue their own agendas.  Okay, I get it that the IT operations team is strapped but this behavior results in a culture of finger-pointing, unnecessary IT risk, and system compromises.  CEOs need to hold these groups collectively accountable for identifying and fixing problems, rather than measuring each group on its individual contribution alone.
3. A debate between business efficiency and security efficacy.  When line-of-business managers complain about IT security, security controls are often curtailed or abandoned.  As an example, firewalls are often referred to as “Swiss Cheese” with numerous holes punched through them for applications, customers, mobile employees, etc.  What’s missing?  A rational assessment of risk/reward for these security compromises.  CEOs need to step in here.  In fact, it may be prudent to cut off users or applications when it’s clear that an attack is in progress.  My point is that security matters and may sometimes impact business processes.  These tradeoffs should be based upon facts rather than emotions. 
4. An aversion toward big projects.  Every organization would benefit if they discovered/classified their sensitive data and locked down all hosts with an appropriate set of security controls.  Alas, these are big projects that could take a fair amount of time and resources to accomplish.  So what, these must get done.  Every CEO and corporate board should pressure CIOs and CISOs to identify every location where sensitive data resides.  If they can’t provide this list at a moment’s notice, give them a reasonable timeframe and adequate resources to get this done.  Similarly, CISOs should have a customized high-priority plan to maximize security for PC endpoints, mobile devices, and all types of servers tuned specifically to industry and functional risk. 
5. Software functionality versus software security.  This problem has as much to do with software development culture as it does with the organizations.  Developers are paid to get functional code out the door, but we are really fighting uphill if we continue to produce insecure software all the time.  If IBM, Microsoft, and Oracle can establish secure development lifecycles, every other organization that writes software should be able to follow suit. 

There are a number of colloquialisms like, “You can’t fight city hall,” that come to mind.  In this case, there are too many institutional organizational issues and we have to live with them even if they have adverse cybersecurity consequences.  Nonsense!

CEOs and boards have a choice:  Uncover and address these well-established bad habits regardless of the effort it takes, or let them languish and treat cybersecurity issues as a series of holes in the dyke.  Real leaders will roll up their sleeves for the hard work ahead.  Others will hide behind token activities like cybersecurity budget increases while claiming that they are doing all they can.  The latter type of business executives should be fired when their organizations suffer the next data breaches.