CFOs Need To Sober Up to Security Realities

Wednesday, May 19, 2010

Anthony M. Freed


For many organizations, network security is still considered a technical cost-center that is approached from the standpoint of compliance and an anticipated return on investment, with little consideration of the very real threat to overall enterprise risk.

The continued underestimation of the impact a data loss event can have on the viability of an enterprise is of particular concern when publicly traded companies are considered, as individual and commercial investors have little or no idea how such an event will affect shareholder value.

Just ask the investors at Heartland Payment Systems (HPY), who are only now seeing the company stock prices approach levels anywhere near the pre-breach announcement, and the effects of the event are far from over.

As the responsibility for mitigating all enterprise risk ultimately lands on the lap of the Chief Financial Officer, it's time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak.

Fundamentally, IT systems security is at the heart of all enterprise risk abatement, and CFOs need to recognize they are way behind the curve in this respect when it comes to protecting their company and the bottom line.

And it's not just the CFOs who are fumbling the ball. The problem also stems from the inability of security professionals to effectively translate the message of vulnerability into the language of the boardroom: Risk.

Jeffrey Carr, who consults with U.S. and foreign governments on cyber intelligence matters and is the author of Inside Cyber Warfare, had an article in Forbes that should serve to keep CFOs up nights; however, it will probably go largely unnoticed.

If you are a security expert, there are no surprises in what Carr has to say, as these simple "knowns" are the most basic tenets of information security:

  • You cannot protect all your data
  • You cannot stop every attack

From the security expert's perspective, these facts are the driving force behind everything they do in their professional capacity on a daily basis, yet this is not the message being conveyed to the CFO.

Stark realities such as those Carr pointed out just don't return larger security budgets, as gloom and doom is generally unappetizing to the spin-happy executive level who are responsible for communicating risk levels to both regulators and investors.

Carr goes on to say in his article, "Once you understand that you cannot stop every attack, and that the attacker has a vast advantage over the defender, the next logical action to take is to reduce the number of attack vectors that a potential adversary may choose from."

Again, this is security 101, but for CFOs this should be a revelation. When the simple truth that critical systems can really only be defended and not wholly protected from interlopers is considered across the broad spectrum of industries that comprise our economy, the implications are staggering.

Even in the midst of ever-larger data breaches and the sharp uptick in cyber-related criminal activities, sectors like communication, finance, healthcare, legal - and those that govern our critical infrastructure like the emerging smart grid - are rushing headlong into the implementation of systems that dramatically increase the risk of a serious security event.

It's time for a serious discussion regarding the true nature and very real implications of technology inspired risk, and it's time for security professionals to deliver a clearer message on the actual state of network and system vulnerabilities.

It's also time for CFOs to fully account for the expansion of risk in the digital age, and to accurately estimate the potential impact on shareholder value.

Enterprise Security
Post Rating I Like this!
Andrew Baker Very good points, Anthony. Part of the problem is that even when the risk is presented in business terms, the fact that technology can be used to mitigate some of it gives senior managers the impression that it should be possible to eliminate it.

Risk is simply not clearly understood -- less so, when technology is involved. There is a tendency to assume that the likelihood of the risk occurring is much lower than it is, unfortunately.

Katie Weaver-Johnson Great points Anthony and I definitely agree that many organizations rush to implement technology tools as a "quick fix" and in turn expose themselves to more risks and vulnerabilities.

As you said:

1. You cannot protect all your data.

2. You cannot stop every attack.

We are always playing defense. A colleague of mine used to always say, "We need to be one-step behind the bad guys at all times." It is impossible to always be in front of them.

James Mulholland It's all about exposure and having the knowledge to understand whether it is increasing or decreasing relative to your assets. At some point the cost of risk abatement exceeds your budget and someone steals your lunch while you are helpless to stop them.

It's my impression that the willingness and expertise required to identify and manage evolving risk is in short supply. For the most part risk assessment is taken as an afterthought when implementing strategies that have profound risk consequences across the enterprise. My guess is that shortsightedness and self interest tends to drive the trend toward greater levels of exposure. I can't think of too many people that would refuse to play a lottery with another person's money if the payout exceeded their exposure. That formulation yields a demand for your risk that approaches infinity. At the core of this lies the fundamental concepts of game theory. Serious thought should be given to the potential beneficiaries of any strategy and who it is that ultimately will underwrite losses. Lacking a true awareness of the calculus of risk posed by any action will undermine any attempts to safeguard the longevity of the enterprise.
Peter Abatan Great points Anthony, this brings home the argument for ethical hacking to continue to push and test current security systems to the limit. Apart from this there is a need to deploy all the necessary security tools that matches the enterprise' profile.
Geri Fultz I think we sometimes overstate what should be an "alarming revelation" for a CFO. Yes, information security and IT Risk are important, and they're certainly very important to people that subscribe to Infosec Island (just guessing...not CFOs). Even if you are top-notch at translating infosec/IT risk into business risk terms -- and you should be -- in my experience, it's not that CFOs don't care about InfoSec/IT Risk, it's just that, at many companies, it falls behind credit risk, market risk, and general compliance risk (and not just compliance in terms of SOX, PCI, HIPAA or privacy, but all the other laws/regs that they must comply with). CFOs have experienced LOTS of very expensive pain in these other risk areas, so who can blame them? In addition to speaking in business risk terms, we should understand all of the things that can hurt our organizations -- i.e. ENTERPRISE risk management -- and have a realistic view of exactly where we rate in that grand scheme of things. CFOs have a lot to worry about.
Anthony M. Freed If a company puts off an expensive firewall upgrade for a few quarters to make the balance sheet more favorable to their investors, and assuming they are still "in compliance" from a security standpoint, should the CFO include the decision to postpone upgrades in their SEC filings?

Does that budgetary decision about security outlays classify as material information about shareholder risk?

And do we want to run the risk that it will be the courts and the trial lawyers who make that determination?

Lots of gray area where financial regulations intersect with information security best efforts.
Ian Tibble In corporate environments, usually when one encounters phrases like "a real grownup discussion" in security, it means something along the lines "please don't talk about IT".
Another paragraph here "... it's time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak." I agree with this, but personally i have never heard much geek-speak coming from IT security teams, because in corporates these days, there are no geeks.
I have affinity to many of the sentiments in this article, especially "the inability of security professionals to holistically translate the message of vulnerability into the language of the boardroom". However i think its more than case that security pros know the language of the boardroom, but they don't have a clear picture of vulnerability.
If a security pro can understand how the organisation's information assets relate to the organisation's finances, then they are able to translate vulnerability into the language of the boardroom. The problem is that for the past 10 years there has been a growing distance between the real world of IT and the world of security professionals which is CISSP and ISO 27001. Security pros these days are, in the vast majority of cases, not at all versed in IT whatsoever. This means they exist on an island in the business, where they cannot engage with IT or network operations.
Earlier, say late 90s, security was all geek-speak with total disconnect from and stuff. What happened then? An over-compensation away from IT. The overall result? Boardrooms have never been well advised in security. They know they should be doing something about it...but they gave up trying to get decent advice on the subject.
The first step to solving a problem is the realisation of it existence. Right now, we have not even passed this stage.
The overall goal has to be cultivate skill sets and certifications that are not in disconnect with IT, along with professional certifications that prove a pro has the right knowledge. This at least would help to foster trust between the boardroom and the risk management pros.

Andrew Baker Ian, I'm not sure I can agree with your premise. I see a fairly close connection between IT Security or Information Security and other operational IT teams. In many cases, these are still closer to IT than to the board room. And I don't agree that IT risk is not clearly articulated in business terms. Not from my experience or that of several colleagues.

I think that the original article makes and excellent point:

-- CFOs need to stop and learn about IT risk, rather than putting the onus on someone else to articulate it for them. It has to be a shared responsibility.

-- The failure to accept that some risk with always exist with InfoSec is prevalent -- and strange. If one has operations in a hurricane or earthquake zone, then one accepts that such a catastrophe is possible, and that such risk cannot be 100% eliminated. Yet, with information technology risk, the question is always asked: "What can we do to eliminate the risk of xxx?"

This unwillingness or inability to accept that technology risk cannot always be eliminated, and that it is incumbent on the people who deal with risk to be able to understand where that risk fits in their overall enterprise, is why we continue to have problems getting the appropriate funding or support for policies and procedures that would mitigate the risk to acceptable business levels.

Both InfoSec practitioners and the business leaders would be better off if the rules of engagement and risk acceptance were more clear and operated within the same standard as other business risks.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.