Thursday, March 1, 2012

Electric Sector Not Alone in Moving Slowly re: Security Leadership and Governance

This CMU report came to me yesterday via Ernie (he's everywhere) Hayden. At 3 pages, it's short enough to consume with one cup of coffee, and its cross-sector findings jump out with alacrity:
  • "Today, cyber attacks have moved to a new level: corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials around the world. These issues now require active oversight by boards and senior executives"
  • New SEC guidelines require public co's to disclose cyber risks that "materially affect products, relationships, services, relationships with customers or suppliers ...."
  • CISOs and CSOs report that they "cannot get the attention of their senior management and boards and their budgets are inadequate"
The first two points I already knew, but that last one is a wake-up (for me, at least). Clearly, in other sectors, simply designating someone as a CSO or CISO isn't a cure-all for security governance. In fact, much depends on to whom the CSO/CISO reports, and clearly, whether the board sees security and privacy as strategically importance or not.

There are signs of slow progress worth checking out, as well as concluding recommendations. I'll give you one of them here:
  • "Establish the “tone from the top” for privacy and security through top-level policies"
Yes, that's leadership and culture change. What Lou Gerstner says in his account of how he turned around an foundering IBM in the early nineties, was by far the hardest thing he tried to do. Also the slowest. Also something that can't be changed by a CEO.

Lou said (and I'm paraphrasing here) that he and other senior execs could help create an environment that would promote or allow for change, but that ultimately it was up to the employees themselves to make it happen. Yet it was also, in retrospect, the biggest difference maker of all his initiatives.

Stay tuned, a more detailed version of this report will be made available shortly.

Photo courtesy of bradipo on