CyLab Report
Boards Losing Focus on Security
Carnegie Mellon University's CyLab, the largest university-based research and education center for computer security, in collaboration with author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company, produced a survey report titled, "Governance of Enterprise Security: CyLab 2010 Report" demonstrating enterprise boards are losing focus on security. I've read this report and wanted to provide additional perspective.
First, Jody Westby is unquestionably a security expert. In fact, she's at the top of a rapidly growing community of bar certified security experts – blending legal, privacy, and information security, which is becoming increasingly important for reasons that should be obvious.
The gist of the report is, "Board participation on key IT security governance activities is worse compared to 2008's survey," says Westby. "Reviewing budgets and policies, receiving and reviewing regular reports, roles and responsibilities of key personnel -- all of the numbers are worse than 2008's survey." The report goes on to state that boards of Fortune 1000 companies are taking risk management seriously, but there still a gap in understanding the linkage between IT risks and enterprise risk management.
Before commenting on any survey, I like to discuss its scope. As stated in the Executive Summary, the survey is based on 66 respondents at the board and executive level of Fortune 1000 companies. Assuming one respondent from each company, that's roughly a 6.6% penetration. I've seen political surveys cause nation-wide debate that were 0.0001625% of the population. My point is simple, the survey, in my opinion had a "good" scope, but I would have preferred a slightly higher number of respondents. Of the 66 respondents, 27% (18) were board chairmen. Overall, 3% (2) were outside directors, 47% (31) were inside directors, and 50% (33) were senior executives that were not a board member. Therefore, the survey is based on a balanced combination of information directly from the board on their opinion and information from non-board members on their opinion of the board. An interesting mix – and I like that. Moreover, the sector coverage was surprisingly comprehensive and balanced well. In short, the survey has a good foundation making it something worth taking seriously.
You can read the report, so I won't go into detail on the findings. However, there are a couple key findings worth commenting on specifically.
91% responded that risk management was actively being addressed by the board, second only to M&A (97%) and long-term strategy and operations (97%). This is in stark contrast to 20% for IT operations, 39% for computer and information security, and 2% for vendor management. Although the report didn't highlight this, 83% said that Compliance was active at the board level, which leads me to the following perspectives: Compliance is a broad term and typically at the board level this goes well beyond traditional IT security, but tends to bleed over in interpretation. Therefore, I would argue that the 39% on computer and information security is in reality much lower, exacerbating the conclusions in the report.
Next are the results on the top three priorities for the board. Despite 56% stating improving risk management was a priority, 0% said the computer and information security was a priority. Hmmmm. First of all, this substantiates my previous perspective: 39% conveys a far too optimistic view given the interpretation of compliance. What this really means, and the very basis of the conclusions of the survey is the board is not connecting business risk to IT security. I will take this one step further and say it is a complete disconnect with the foundations of information security and its criticality to the business, which, interestingly enough, were identified as strategically important and a high priority.
The last element from the survey I will directly comment on is the question concerning do boards receive information or are involved with security related reviews, such as review/approve: security budget, roles and responsibilities, policies, and receive reports from security management. As far as budget, 5% didn't even know and 61% said never, with only 11% saying this regularly occurs. I short, the board is blind to security budgeting. Actually, in my opinion a more accurate conclusion is that security is rolled up into something more nebulous, e.g., "IT Budget".
Here is a red flag, the board's involvement in roles and responsibilities of security leaders was 42% were never involved, 3% didn't know, 30% occasionally, and 6% regularly. I'll surmise this simply as: you wonder why security executives have very little authority and all the accountability.
Another interesting feature is 33% of the board has never been involved in security policies, 20% rarely, and 8% didn't know. However, 15% did say regularly involved/approved, etc., not a good sign.
Lastly, and reflective of my core points I'm going to share below, is when asked if they receive reports from senior security management, 26% said regularly, 45% occasionally, 20% rarely, and 9% never.
Now, my perspectives on this particular result and then I'll get into the juicy stuff.
61% saying they're never involved with budget means: information security is marginalized relative to overall budgeting, this is the very basis of information security not seen as a priority, and part of the problem of the disconnect between risk and information security at the board level. With only 6% regularly involved with roles and responsibilities means that not only is information security not considered important, but there is virtually no authority in the security executive team.
I will say that the board not overly involved in policies is understandable – I can see that. Interestingly, it is a board member that could have issues from poorly structured security policies, so in many ways they're cutting their nose off to spite their face.
Lastly, I think that reports from security aren't flowing cleanly into the board is very telling.
OK... what does all this mean? Boards don't care about information security and all indications are it's on the decline, why?
Here is my short and sweet, to the point summation... are you sitting down?
It's your fault.
If you are in the security industry, from executive to a guard at the gate, it's your fault. Don't bother arguing with me because I'll win. I'm about to cover a lot of ground, you probably will disagree, and when you're finished you'll still say you disagree, but deep down you'll know I'm right.
On a fundamental level, the security industry feels the need to educate the board and senior executives about security, but puts very little energy into learning about what the board may be dealing with. In my experience I've heard security people say, "Well, they just don't understand", "They don't get it", etc. Then try to educate the board as if they can't spell security, which can be insulting. Certainly every board member I've ever come in contact with was brilliant, highly educated, and well-rounded. They are definitely not stupid and can rapidly digest complicated information. Just because they may not reflect the same perspective as you, doesn't mean they don't get it.
Oh they get it, but there are a lot of other things going on. They have to absorb a lot of information, reduce it to its salient points, and make a decision every day. The problem lies in the fact that security has yet to make a compelling argument. The industry is so busy trying to educate the board and convey the security viewpoint; they've lost perspective on what is compelling to the business. And to be compelling is must have relevance to the priorities of the board.
Now here is the bit you're really not going to like. Security has been riding the compliance wave for too long, so long in fact that you're becoming background noise. Before compliance set in, such as HIPAA, GLBA, and SOX, security was a struggle and embryonic in the business. Then came compliance that had implications for the business and the board. Security latched on to this like a calf to her mother's milk. Although compliance is still pouring into the industry, the board has become numb to it. "Yes, yes, compliance with PCI now, get it done, move on." Security's reliance on compliance to define their existence has out lived its value in the eyes of the business and the resistance to evolve away from this "definition of value strategy" is rapidly becoming the sword the industry is falling on. Moreover, the board is "threatened" by compliance, making security organization appear as the "adversary" to business. The old "or else" argument.
So, in summary, security is not respecting the board, not compelling to the board, and contributes to the growing divide by using risk and compliance as the basis of their value when in fact the board is threatened by "or else" scenarios. In other words, security is just about doing everything wrong at the board level and in some twist of logic is blaming the business, all the while wondering why the board is becoming increasingly distant.
I've written extensively – for years - on the expanding divide between the business and security, and this survey is evidence to that fact. My book, "Adaptive Security Management Architecture", which will be hitting shelves later this year (expected October, 2010) goes into great detail on how this divide manifested, how it's getting worse and why, and provides exactly how to not only change course, but reverse it.
There are many things contributing to the divide and why it is continuing to expand, but it all boils down to relentlessly defining the value of the security program on risk and compliance and not demonstrating value to the business. Ironically, this is exacerbated by the complete and total reliance of "risk" as the basis of communications to the board. I know this seems contrary to the survey results, but I'm talking about information security risk management being used as a method of communication with the board. It's not working and is doing nothing more than becoming the next iteration of the boring compliance conversation.
The board's view of security today is one of a cost of doing business, has no relation to achieving goals, and an old, warn out drum beat that has moved from deserving basic attention to an annoyance.
Security must enable the business, it must demonstrate value (and I'm not talking about ROI..., but VOI), it must align (inexorably tied) to business goals and demands in a measurable and tangible way, and, above all, be adaptive. Clearly, this is not happening. The survey is clear on this point, and the board continues to become less interested.
For example, in the survey, as mentioned above, 26% said they received security reports regularly and 45% occasionally. Overall, this can be seen as a very positive result. That's 71% saying that security executives are communicating with the board, clearly a majority. However, one cannot deny the question, are the reports providing any value? Well, based on the survey's results and conclusions, clearly not.
In fact, I'll go one step more. Security has relied on compliance for so long that it is suffering from it – deeply suffering. Most security groups are more about compliance than security and we know these are two very different things. Moreover, many security groups have developed compliance frameworks that map different regulations and standards to controls so they can address changes in the compliance landscape rapidly. This is good and important. But the board, which has been trained to see security as a compliance management capability, interprets the capability as a core characteristic – nothing of differentiation – hence not important.
Of course, security managers and executives focus their message in the form of risk. Risk has become the language from security to the business. On the surface this is meaningful, but without a connection between information security and business risk at the board level, it still comes off as "threatening" and not "enabling". In short, security has trained itself and the people it serves to see security as a derogatory business feature. Everything is doom and gloom... threat this, compliance that, and nothing about "how to get where you want to go".
A quick story about a company I collaborated with on security. They had what I would call a good security organization. Typical approach, generally getting the job done, but hit a plateau and having difficulty keeping up with the business. For a long time they had been hitting a locked door at the executive and board level. They had a ridged risk-language, compliance approach to justifying security. They started training themselves to replace "No, you can't do that," to every question from the business, to, "Let's see if we can make that happen." This created a shift in the interpretation of security. They started reporting to executives less about risk and in risk language, and more on how they were helping business units achieve their goals. Granted, risk, threats, compliance, etc, remained in the report, but was not the centerpiece; it wasn't the basis of communication. Over time the change in the executive culture concerning security was substantial. Today, the security group has an intimate relationship with the board and executive team – they are an essential part of the business's success.
The plateau they hit is where a lot of security groups are today. Moreover, a lot of security groups are changing the "no" to a "let's see" approach. Also, many are looking at business goals. All good stuff. But they haven't stepped over the wall of compliance and risk to "enablement" in the boardroom. I know this run contrary to everything in the industry today – especially one filled to the brim with GRC solutions and marketing reports about how risk management is important. If you're hearing me, you'll see that I'm not saying these are not important... just that they're not what you base your entire program on when it comes to the board and executives.
What I want you to get from this is any gap between the business and security is security's fault. The fact that it's getting worse should be enough evidence that the approach you're taking now isn't working. Risk and compliance are very important, but they are not compelling to the business at the levels we're talking about. Risk and compliance convey a tone of "do this or else" and the board is growing tired of it. Look, don't think for a second that the board doesn't get it or think it's important. That's your first mistake. The simple truth is they don't see how it's getting them to where they want to go. Companies are becoming increasingly forward looking and embracing their entrepreneurial spirit that was nearly crushed in the throes of the economic downturn. The last thing to excite them is more red tape.
I know security – risk and compliance - is important to you. I know you've made it your profession and you're passionate about it – it's what you do. But, that's not enough for the board. You need to embrace the board, understand what makes them tick and position security to help them – enable them – to realize business goals and objectives.
When you start talking their language, they'll start listening.