Tom Clerici | September 19, 2017
Nobody was surprised when it was announced this weekend that the chief information officer and chief security officer were both out at Equifax. We all knew that was going to happen because those two roles always get terminated after a major breach. Clearly, it’s always the CIO and CSO’s fault, right…or is it? I’ve never worked with Equifax and I have no idea what happened at Equifax prior to this breach, but what I do know is that in many of the companies I talk to, the business is just as much to blame as IT for major security holes. How much responsibility does the non-technical leadership team have for an organization’s security posture? It’s an interesting question because, in the midst of everything going on at Equifax, they aren’t calling the CIO or CSO to testify in front of Congress. The CEO is going to testify, and pretty soon that’s who everyone is going to blame if these kinds of catastrophic breaches continue.
The Great Disconnect Between IT and the Business
There is a misconception in many organizations that IT owns security and it’s solely their job to keep the bad guys out. That approach is fundamentally flawed and gives executive leadership an easy pass to blame the CIO and CISO when a breach happens. I’m not going to say IT doesn’t get some blame here, in fact they deserve a lot of blame. IT owns the administration and management of core infrastructure and systems and is primarily responsible for identifying risks and mitigations. However, the last time I checked just about everyone uses technology today. The first thing most employees do when they get to the office is log into a computer. In essence, EVERYONE is a part of the IT department. It’s the business though that owns the checkbook, risk management, priority list, and corporate strategy. The business dictates what they need to be profitable and should be driving IT toward technology that empowers operations. As such, it’s the business’ responsibility to get involved, hold IT accountable for finding risks, understand the gaps, and appropriately resource security initiatives that are critical to protecting sensitive information.
That’s not typically what happens though, is it? Think about your own organization. How many times have you heard someone on the executive team publicly talk about commitment to security and then privately pitch a fit because they had to wait an extra 60 seconds for their PC to boot up on Monday morning after installing security patches? Better yet, how many executives get to bypass multifactor authentication, have local admin right on their laptops, and are exempt from web filtering? To them these are inconveniences that they don’t have time for. They are also the same people that don’t have time to attend security meetings or allocate resources to security solutions. Breaches like the one at Equifax are going to force changes at the CEO level.
People are Looking to the Board and Senior Leadership for Accountability
All too often I see the IT department out on a ledge fighting for money and staff to secure the business channels that are too busy to bother with it. I get it – security is expensive, complicated, inconvenient, and boring. It’s also intangible in that you can’t see the value until there’s a major problem, so it’s easy to ignore or procrastinate. Passing the buck to IT is the easiest way out. Unfortunately, we live in a world now where ignoring security can put you out of business so, like it or not, the business must care. These breaches have become so public that CEOs can no longer hide behind the complexity of IT for not knowing they are at risk. It’s the executive team’s responsibility to understand the risk and costs to remediate it, which in many cases will require not just money, but culture change.
That doesn’t mean IT is off the hook. You can’t expect CEOs to be the technology experts. That’s IT’s job. The CEO does need to hold IT more accountable, though. Is the IT department reporting on existing weaknesses and strategies to strengthen them? Are they providing the business with metrics on the effectiveness of the information security program? Do they move security initiatives forward? If the answer to any of these questions is no, then it’s time to replace them with people that can. The discipline is too complex to put “average players” into positions that can literally destroy your business. The CEOs need to get involved. They certainly read revenue/profit reports, audit reports, sales trends, and legal requests. If they’re not treating security the same way, then they are just as accountable as the CIO or CISO when there’s a breach. Politicians, regulators, and law enforcement are taking note of the issues. They are now looking to executive leaders to get engaged. My advice is for business leaders to get involved now, or be prepared to face the music later.
Continue the cyber security conversation with Tom on 9/28 at Arraya’s forum: Identifying, Monitoring, and Analyzing Security Threats. This free, full morning event will feature multiple presentations designed to help IT professionals thrive in today’s increasingly harsh security climate.