Sliding IT security priorities put enterprises at risk

I read somewhere about the government’s intent to increase budget allocation towards fighting and creating cybersecurity awareness. The link was hidden somewhere towards the bottom of the newsletter; quickly I clicked through to read word by word the good news and realized that it was indeed true ! The chart showing CAGR was quite impressive with the trend line going north; then I looked again at the Y axis to find that the investment per annum was so low that the entire news was like actually too scary to be funny.

Not too long ago when I wrote about Creating Secure & Safe Enterprise, many CIOs and CISOs wrote back with their personal experiences; most of them agreed that their realities were reflected within. Some of the interesting facts that emerged is that budgets were a challenge, but then not really a challenge when an incident occurred. With corporate focus on short-term goals and measurement of tactical performance, the biggest challenge that everyone unanimously portrayed was that of sliding priorities with security settling close to the bottom.

Why is security investment such a drag when it comes to budgeting and spending ? Why do enterprises and with that I imply the CXOs who collectively represent the Management believe that they don’t really need to invest in protecting their information assets which are family jewels in most cases ? What creates such a lackadaisical attitude towards creating process, policy, and implementing tools that provide a secure framework to do business despite the fact that threats are increasing and businesses are losing customers, revenue and credibility !

Everyone agrees in principle that security is a must; they (the CXOs) espouse this in conferences and project themselves as the messiahs of information protection and security. When one such leader was asked pointed question on the budget allotted, he sidestepped the question deftly instead talking about how the industry needs to up the ante. The lip service that ignores the elephant in the room is beginning to hurt enterprises. The cause for such an attitude towards keeping the doors and windows open has to be deeper.

I am not that big and not an attractive target for anyone ! Why would any hacker want to breach our security ? Our customer data is locked up on one computer and only two people have access to it; they are both trustworthy. We don’t have anything worth stealing, so why would anyone compromise our systems ? We know internal threats are higher than external, we have information distributed across multiple solutions, so no one can decipher the full picture; we have locked USB, installed anti-virus and firewall, isn’t that enough ?

Is lack of awareness or education creating a false sense of security and complacency ? Or is it a belief that such things happen to others and I am safe ? Is CXO ignorance and indifference an acceptable proposition towards defining the security posture of an enterprise ? When you live dangerously sooner or later an adverse incident does occur and that is when the scapegoat syndrome always ends up pointing fingers at the CIO or the CISO, and/or the service provider. Breaking this paradox is the need of the hour for enterprises.

No one wants to fall sick or die but everyone takes health and life insurance ! Investments in security are like insurance to protect the business. Physical security has seen this paradigm shift with electronic tags and biometric solutions becoming the norm. With the number of threats increasing and new ones emerging, the education of CXOs is not just an imperative but an urgent need. CIOs, CISOs, Internal Audit, and Risk Committees have to own up the information protection agenda and drive it with their collective might.

Using ethical means to understand vulnerabilities and fixing them should be high in the corporate agenda towards creating a safer digital enterprise. Customers and consumers are becoming sensitive to this fact and the probability of them taking their business elsewhere is beginning to happen. A safe and secure ecosystem is required for the extended enterprise including suppliers, contractors, partners, and customers. The writing on the wall is that companies who emerge as secure digital enterprises will be winners of the future.

Where are you ?

Create the best policy but exclude me from it …

The compliance audit demonstrated significant gaps in the processes and policies which had put the new CIO in a quagmire on how to get started. The report was indeed incriminating to the internal and outsourced team; there were numerous cases of process being bypassed or ignored along with weak ambiguous policies and controls. The task appeared to be herculean and the team was smarting from the beating they had received from the CFO to whom the Audit team reported. The CIO had come on board a month back and was still undergoing his induction.

Every company that has an active audit function reviews compliance, risk and process strength linked to defined policies; the frequency of audit varies but at least once a year IT does figure in the calendar. They sift through logs, evidence of process adherence, change requests, documentation, defined standards, IT security, procurement discipline, and exceptions to all of these. For IT the exercise is fraught with danger when in the real world compliance is difficult with almost every senior manager requesting deviation to policy.

To get started the CIO decided to seek help from the audit team who had engaged one of the big audit firms. The audit team was surprised since none of the auditees had ever asked them for help; they dutifully connected the CIO to the Consultants. Citing conflict of interest, they recused themselves from the potential engagement. Not one to give up so easily, the CIO reached out to their competitors and engaged them in a full review of people, process, policy and technology towards creating a practical implementable set of policy.

Months and many iterations later the CIO was satisfied with the end result in which his team had contributed through the process. The classification of policies and associated procedures appeared comprehensive and pragmatic in their intent. The IT team was also content that finally they had markers that would leave little room for exceptions while the outsourced team who is responsible for execution will find it easier to comply. But before putting the plan to action, the CIO sought the opinion of the vocal CFO.

Weeks passed after the documents were emailed with no response; the CIO personally reminded the CFO of the pending request. Time was running short as the next audit was due in another few months and the CIO did not want another negative rating to fend. He also had dependencies on some of the other functions to work in tandem. Much nudging and cornering later the meeting was scheduled. The CIO had his team and the consultants on standby should there be a need to discuss some aspect in detail.

These policies are not user friendly ! The consultant has given you standard cookie cutter templates ! How do you expect senior management to comply with these ? We cannot be expected to change and remember complex passwords every so often. World over businesses are going digital; how can you have a draconian internet access or social media policy ? We need to allow people the freedom to engage with customers ! The world is going mobile; you should allow access to information on demand. You have to figure out a better way to implement security !

The CFO went on shredding the documents deriving satisfaction in his qualification and comment; the impracticality of the suggestions had the CIO wondering if ever the company will succeed in creating a framework that will protect the systems as well as allow for processes that are necessary towards good governance. His counter arguments were brushed aside by the CFO who was unwilling to listen in his quest to add value. The CIO thanked the CFO for his critique and decided to seek counsel from other CXOs towards implementation.

The rest who had lived with far more restrictive policies elsewhere commended the CIO for his rational real-world approach. Soon the next audit came and the results showed significant improvement in compliance which validated the approach taken. The CEO was full of accolades for the CIO while the CFO squirmed and then tried to take credit by highlighting his review prior to execution. The rest knew better and nodded to the CIO on the road taken and positive end outcomes. The CIO thanked everyone for their understanding.

A few weeks later when the CFO requested an exception to a policy which was denied as it required the approval of the CEO who was against deviations !