Schneier on Security
A blog covering security and security technology.
« Voting Comic |
| Keyboards and Covert Channels »
November 8, 2006
Why Management Doesn't Get IT Security
At the request of the Department of Homeland Security, a group called The Conference Board completed a study about senior management and their perceptions of IT security. The results aren't very surprising.
Most C-level executives view security as an operational issue -- kind of like facilities management -- and not as a strategic review. As such, they don't have direct responsibility for security.
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. "Security directors appear to be politically isolated within their companies," Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don't have many allies in getting their message across to upper management.
What to do? The report has some suggestions, the same ones you can hear at any security conference anywhere.
Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. "Risk managers are among the best potential allies," he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.
"That can be tricky, because most risk managers come from a financial background, and they don't speak the same language as the security people," Cavanagh notes. "It's also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company's business, but have a very low likelihood of occurrence, so it's very hard to gauge the risk."
Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).
Face time is another important way to gain attention in mahogany row, the report says. In industries where there are critical infrastructure issues, such as financial services, about 66 percent of top executives meet at least once a month with their security director, according to the study. That figure dropped to around 44 percent in industries without critical infrastructure issues.
I guess it's more confirmation of the conventional wisdom.
The full report is available, but it costs $125 if you're something called a Conference Board associate, and $495 if you're not. But my guess is that you've already heard everything that's in it.
Posted on November 8, 2006 at 6:15 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The one sure way to make it a majour issue with any executive is
"what is my personal loss if it goes wrong"
This sugest that there are three areas that might well give it a shove in the right direction,
If the shareholders have an option to get rid of directors without benifit (ie golden parachute and pension / share options) then executives are likley to sit up and listen.
Also if the Insurance company says "it happens you are not covered unless you can show best practice HAS BEEN USED".
Finally legal compliance, with real corperate liability ie Jail time for excessive risk taking (usually has a moderating effect on the risks taken by senior managment).
One of the factors I've seen for security managers getting isolated is the perception by others that the security folks are "the ones who say 'No' to everything" or put forth things impeding work. Real or not, these perceptions and other job culture factors can hinder security management.
Among things that can help are assessing the workplace culture to see its "economics", what is rewarded. Very likely the incentives might not fit what is being said by the security people. If the organisation rewards people for taking audacious *stupid* risks, things can be difficult.
A big step may be turning the "No's" into "Yes's" by readjusting the tone of the communications. Less of "We must not do XYZ because it will make us vulnerable to data breaches" tone and more towards, "We should do XYZ because it will help retain customer trust and bolster our competitiveness in the market."
Of course, the security approaches should be smart ones, not silly security like requiring unique 50-character passwords that expire once a week.
I work in the safety industry. It's interesting how you could replace "security" with "safety" in the above, and it would be exactly as true.
I keep getting different opinions on what a "C-level executive" is. For instance, it seems like half the people who work in U.S. banking are "vice presidents." http://www.chiefofficer.com/faq.php has something, but I'm getting off point ....
Security personnel, information and otherwise, need to go to the "dark side" and learn some basic business economics or the point will never get across. Most execs won't cut EPS by a penny based on vague notions of threats or vulnerabilities. Believe it or not, that's actually a good thing. We've got to find better ways to show them the numbers.
Security has the same problem as IT in general -- it's very poorly financially accounted for. How do you measure all the small periods of downtime due to any infrastructure failure? I've never seen a company that does it well. You see it in the quality of the folks they hire. In software firms, you'll generally find your least competent engineers in the IT department, as compared to engineers in that self-same company. Same at many universities.
How do you solve that problem? How do you actually measure time lost not only to infrastructure failures, but losses due to IT folks who don't know their business?
A power outage, where employees are sitting on their thumbs doing nothing, is a concrete example that happens to every company periodically. It's very easy to cost justify (or not) the cure (UPS systems or generators) based on the productivity losses from past outages.
However, you can't measure the cost of an intrusion that hasn't happened and the liklihood is basically unimportant because most believe it won't happen. Many of the costs are completely intangible - like the loss of confidence from customers and business partners causing a loss of revenue when they take their business elsewhere. That can't be measured in advance because the publicity and the public consequences from a breach are a complete unknown.
Risk assessments can help, if you can get the company lawyer involved. It's fairly easy to use the assessment to show the company is not doing its "due diligence", which is one of those buzzwords that keeps lawyers awake at night.
When failures occur, they are always embarrassing, and then the primary driver is cover-your-ass, which means to hide the costs and the causes. When security fails, the IT people can work around the clock to get things going again, and dodge the blame, since 'computer glitch' is still accepted as a blanket explanation for bad decisions made by humans.
I do not believe that risk managers make good allies. The whole risk management concept is not working! We are trying to convince managers with numbers that have no scientifically background. Impact, frequency and probability cannot be guessed not by me or you or any other risk managers. If I like to convince my management I use examples and I take issues from the past that occurred at mayor companies and of course what the benefit is from integrating a countermeasure instead of defining a potential loss.
Management doesn't get security because it's nebulous and esoteric. How many of us have been interested in security for decades and still learn new things? It's not a topic that can be distilled into a 10 second sound bite. Ideas that can be easily compressed are likely to stick. Complicated topics, like risk mitigation often get shoved aside because they cause headaches.
This week I got asked to help with a project that is representative of how management understands security. Sensitive data is being transferred to a third party, so we need to encrypt it. The people who will be responsible for the data do not understand encryption and have never used PGP before. I'm trying to give them enough information to help them successfully encrypt their data. However, there's nothing to stop them from using pgp -a instead of pgp -ea and not realize that the data is not encrypted. Encryption is seen as a necessary inconvenience and the business needs to be able to check the "encrypted" box on some form. I can suggest that we create an automated process to ensure it's done correctly, but that would go nowhere as I'm the only one in our organization who knows anything about security and I have no free time. I see all sorts of security problems all around, and there is never any management support for doing anything about them.
Security is especially hard to sell because you're trying to tell someone that they need to spend money to avoid a possible greater future loss. There's no ROI without a security breech to illustrate how much worse the damage would have been if the past security measures had not been put in place. Combine this with the desire of most businesses to keep cutting costs and you end up with a situation where the only possible action is reaction. Though, at that point it's too late, so what's the point?
"Impact, frequency and probability cannot be guessed not by me or you or any other risk managers."
Of course they can. It's done all the time. The only question is how well you accomplish expressing estimation, how consistent your estimations are, and how easy your conclusions are to defend.
As a security analyst at a reasonable sized organization I leave most days feeling that I am fighting a hopeless and useless battle due to the reasons stated above. Anybody feel this problem makes it more difficult to retain qualified personnel?
Two sayings that seem to summarize the state of security management in most companies (I am not sure of the origins of either saying, but I suspect Ben Franklin for the first) :
The school of hard-knocks is a hard school, but a fool will learn in no other.
Experience is the ability to learn from your own mistakers. Wisdom is the ability to learn from other's mistakes.
I would think that the examples of Enron, ChoicePoint and the like would be enough wisdom for most C-Level executives, but the ability of senior executives to see only what they want to see continues to amaze me.
This may be less true for Fortune 500 companies, but in a lot of small to mid-size companies who are getting started and/or on shaky financial ground, there are often real incentives for *not* spending a lot of money on security.
Now, this will hurt them in the long run, if they succeed. But, in some cases, the cost of doing things correctly from-the-start is prohibitive, such that they can't possibly succeed while following best practice.
In those cases it's imperative that the Chief Security Officer (or whoever is in charge of security) understands this, and works cooperatively with management to work out which risks can be risked and which can't be, given the financial situation. It's a harder job than just demanding "the best practice" for everything, but that's the position that most other officers of the company are already in.
Now why would the output of a taxpayer-funded research group cost us even more? Is the Department of Homeland Security a for-profit enterprise? [grumble]
Everything I do is based on the fact that the only people authorized to accept risk on behalf of an organization is Sr. Management. I provide the information in a format that is easy for them to understand so that they can make an educated decision. I provide information on the risk, it's potential impact and remediation solutions. I then have them decide how much risk they are willing to accept and choose the remediation solution. It's surprising how much attention you get when they realize that they will, in the end, be held responsible for the decisions they make.
Typically, the nightmare of security in an organization is trying to prove a negative proposition. I have been repeatedly asked for the improvements I can add to income, or profit margin. I have also repeatedly pointed out that what I am doing is minimizing the risk of loss, but since such losses have not yet occurred, I cannot point to an item in EBITDA and state that my security work has made a positive contribution, though other departments can point to where I add to the cost structure.
Gartner has done a detailed study on the cost of the ChoicePoint breach, where the cost (so far) has been approximately $300 per exposed account (not to mention the years of additional auditing they agreed to with the FTC). If they had the proper procedures in place prior to the breach, they would have spent less than $25 per breached account annually. Upon pointing this out to the C level, they quickly stated that the annual cost affects margin and the bottom line, versus the theoretical loss, and if they felt that they were not likely to encounter a publicized breach within 12 years, the risk analysis showed they should not implement the security measures. They then turned down my request to improve security and/or increase staff, and usually asked for a staff reduction/share with other, more profitable business centers.
If the ship has no leaks, the ships' officers will not see the point of improving measures against leakage. They won't ever, until the ship starts sinking.
The bottom line is always in the forefront. Return on Investment seems to be the buzzword, when actually it is safeguarding company assets.
If every employee of a large company took home a box of paperclips, a dozen ball point pens and a ream of copy paper a day, the company would actually feel the loss. Data to these people is just an intangible.
Unless it is their personal data, then they would be outraged. IT and Security will always be a cost center, not a revenue center. Life can be strange. It takes expenditure of money to provide a sembelance of security, even if it is just an illusion.
It takes only one breach of customer data to get them sued. We live in an odd world.
This discussion seems to explain why most security companies try to make money by scaring the bejeezus out of potential customers. It changes the risk calculations.
Security is also hard to understand because it is constantly changing and evolving. Spambots are less than 10 years old, and many businesses and C'levels don't deal with a lot of new things well. Most people don't like to do what essentially becomes multivariant calculus. MBA's learned simpler math, add, subtract, put it in a column/category. Complexity
I worked for a (major in Australian terms, tiny anywhere else) web hosting company until recently. They only partially 'got serious' about security when it looked as though they could win more government business with certain security accreditations. When they realised how serious they needed to be and how expensive it was to actually do it, they gave up and even layed off the security project leader. God knows what they do for security now, probably the same as they did before ...
Mike Sherwood said "Sensitive data is being transferred to a third party, so we need to encrypt it. The people who will be responsible for the data do not understand encryption and have never used PGP before."
I was in a similar situation recently, we had to transfer data that included social security numbers in it. The company we were dealing with kept trying to email chunks of the data to us for verification and correction of errors (implementing our data into a new DB system). It was like pulling teeth with them in order to get them to the point where they finally arranged for a secure method in which to transfer the data (when we sent our batch to them we archived it, encrypted it, and transferred it via SSL server)..
That combined with some other issues (like not securing administrative access to the database, which meant any of their clients could access any OTHER clients data without a problem) in their system made me feel like they just didn't grasp the whole concept of "secure peoples data to prevent identity theft".. We have managed so far to avoid any pitfalls, but it is very frustrating.
As an IT Security Officer at a medium sized company I very seldom leave work feeling that my management "gets" IT Security. Reality is that most of us are at the wrong level in an organization to be able to effect change. I'm sure I'm not alone in feeling that any changes we want to implement are looked upon with skepticism. I'm often referred to as "Big Brother" by my CIO and director for implementing technology that the "agreed" we needed. If it weren't for compliance there would be no security at most companies.
I work as an information security consultant for a national VAR and I have seen each of these scenarios and many many more.
Like it was mentioned earlier, the primary drivers for security are compliance, and quite honestly fear. While I personally disagree with using the tactic of FUD to get people to think about security, I have to admit that it can be effective.
The biggest problem with information security is that it is nebulous. It overlays nearly EVERY aspect of business operations and almost everyone views it as an operational expense rather than as a business enabler.
Most people can't be chuffed to come to terms with something as large, complex, and expensive as securing their data.
Seriously, this is why FAIR risk modeling was created.
A F500 CISO and his boss had this very same encounter, essentially the conversation ended like this: "So, If I spend the x million dollars that you are asking for, how much less risk will I have?" seemed like a perfectly reasonalbe question, without a good answer. Thus, the CISO creates FAIR. The whitepaper (not $425 - free actually) is a great read, albeit a bit lengthy.
I love it and wish I could get more...
get it from http://www.riskmanagementinsight.com
(I am not a salesman for them).
I remember hearing at a NASA press conference about a saying within NASA, that safety must not be a "no because" mindset but rather a "yes, if" mindset. That the focus of the agency in planning missions should be one of finding a way to do it safely rather than finding reasons to not do things because of safety.
Perhaps that can be applied to IT security as well.
"Of course they can. It's done all the time. The only question is how well you accomplish expressing estimation, how consistent your estimations are, and how easy your conclusions are to defend."
So Alex you are a fortune teller?
Indeed you can provide guessed numbers which are meaningless and do not provide a good foundation for your plea.
Some great comments here.
Business is risk, so saying that the C-levels don't understand security is like saying they are not be keeping up with the ongoing shift in how to do business (risks/rewards). If/when you start to look at it from this perspective, you can and should split IT security into technical and strategic skillsets, just like everything else in a company.
Thus, when someone finds a leak, or becomes scared of the latest vulnerability (e.g. "eek! a leak") it is natural for them to grow the technical skillsets ("you there, stick your thumb in it"). But how does the biz gain the strategic skillset to understand what's coming next and how to anticipate the new risk map? They have to adjust and retrain from the top (forums, off-sites, research, etc.) or promote/bring in talent.
Although it's tempting to say security is like flipping a switch somewhere in the brain of an executive, expecting C-levels to get it right is really no different than expecting them to be able to manage the risks of finding the right product for the right time in the right market with the right suppliers, priced right...it's a non-trivial process. Talent, experience and accountability matters on both sides.
I am going to have to agree with Alex on this one. He is of the FAIR camp I am guessing - or at least he talks well of it at his website.
Did you read the FAIR whitepaper? I don't believe you would have made comments like that if you did. Seriously, give it a read (it's long but worth it) and if you still stand by your comments, then I'll retract mine.
We need solutions that are cheap, ubiquitous, and very easy to use. Don't you think that would go along way towards mitigating this?
An external encryption appliance for data in motion may be a decent stop-gap until such time.
I believe the role of chief security officer needs to be clearly stated as not being "to ensure security", but to mitigate business risks. There is no point locking down a system if it means locking up a business, making it unrunnable.
An electronics store posting security guards to check bag contents when customers leave mitigates the risk of stealing. Locking up store to prevent customers from entering prevents the risk entirely. No one would advocate the latter.
The fact that first generation internet banking was pretty risky security-wise is not because the banks didn't understand security, but the good secure technologies around were too hard to use, and the banks had to employ risk mitigation to reduce risk. Security management is more of a process of mitigating threats and balancing them against business needs.
"However, you can't measure the cost of an intrusion that hasn't happened and the liklihood is basically unimportant because most believe it won't happen. Many of the costs are completely intangible - like the loss of confidence from customers and business partners causing a loss of revenue when they take their business elsewhere. That can't be measured in advance because the publicity and the public consequences from a breach are a complete unknown.
Risk assessments can help, if you can get the company lawyer involved. It's fairly easy to use the assessment to show the company is not doing its "due diligence", which is one of those buzzwords that keeps lawyers awake at night."
The cost of customer confidence is NOT intabgible -- you just need to do some additional work to translate it into dollars.
The Roayl Bank (up here in Canada) did a paper several years ago on the cost benefits of privacy, and what it would cost in lost customer confidence. They were able to set it at about 14% of revenues.
Loss of customer confidence means lost customers, which can lead to loss of market share (and potentially even loss of the company -- ever heard of ENRON?) and this translates directly into lost dollars.
Risk assessments that translate loss of confidence into tangibles are a integral part of ciontubuity planning. Marketing and sales analysists do this stuff all the time!
Executive and senior management do "get" secrity if you take the effort to put it into terms they understand and that are meaningful to their strategies and initiatives. The reason most security people can't "sell" security is becuase they don;t think like their target audience.
Try "selling" security as an integral part of the management and financial controls of the organization. Don't sell it on how many ciruses you can intercept,etc. -- that's meaningless at the upper levels.
ANd show how security contributes to the success of business strategiesand initiatives. Don;t sell the "keep hackers out" doom and gloom -- sell it as helping to ensure intended customers can access the business application, helping ensure the application is available when needed, etc., all the while helping ensure that outside forces cannot interfere -- you are helping prevent fraud, intrerference, or misuse of the application so that the cost-benefit that drove the business initiative in the first place can be realized.
Yeah, its the same "hackers, doom and gloom", but put in terms that make sense to C-levels and gives them warm, fuzzy feelings that will result in your getting the funding you need...
I stand by my comments. I'd read the paper before and I still do not believe one can quantify risk. And I am not the only one who shares the opinion that risk management is a failed concept.
I found the study’s stats about limited face time between top executives and security directors to be particularly telling. I’ve seen situations where security directors get less than 15 minutes a month to convey their message. More time is probably spent deciding where to hold the next company picnic. To intensify this issue, far too many of these security directors speak a language not widely received by those on “mahogany row.��? Security directors tend to get caught up in the details and miss the strategic aspects of security such as avoiding cost and preventing disruption of the business.
For top executives to take more of an interest, security leaders need to focus a larger part of their responsibilities on C-level security awareness and education so that these executives are conscious of the real business risks, not the latest flavor of security fear mongering. This will enable the C-level executives to make educated decisions regarding the acceptance or mitigation of that risk. Without this, we get the following quote from the study, “The most influential executives are not the most supportive, and the most supportive executives are not the most influential.��? This reminds me of another dichotomy – this one directly out of Hollywood. In the movie Lord of War the main character played by Nicolas Cage says, “Those who know [about illegal arms trade] don’t care, and those who care don’t know.��?
This is a gap. To address this gap, it entails the greatest supporters of security which according to the study are corporate security heads, and officers representing information, risk and compliance to educate the security decision-makers such as CEOs, CFO, COOs, and legal officers about the business risks so that they do become supporters if the risk warrants it, or at a minimum they understand the risk in their terms and can decide if it is acceptable. I think if there was better communication of the business risk, and security leaders would add what the study calls a “chief lobbyist��? to their job responsibilities, we would see a higher number of executives that agree that excellence in security is a competitive advantage and a source of value. This trick is, doing all this in just 15 minutes a month.
I retract my statement as I said I would. It will not change how my colleagues (F500 CISOs) do business with our CEOs and CFOs. We currently and successfully quantify risk (including IT security risk) and it has saved us thousands, and made us understand that those that believe in "best practice" as a solution to eliminating security issues - while they may - do not do so with an good understanding of the money they are spending.
I am just curious, what pieces of the FAIR white-paper didn't you agree with?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.