[ISN] What your CEO thinks about security (and how to change it)
isn at c4i.org
Thu Oct 21 04:11:29 EDT 2004
Advice by Larry Ponemon
OCTOBER 20, 2004
Up to now, enterprises' security budgets have been so lean they could
almost be considered anorexic. That's because CEOs have considered
security as necessary but haven't bought the argument that there is an
economic advantage to going above a minimal level of security.
Unfortunately, CEOs have persisted in focusing on four basic questions
that too often stump the most savvy IT professionals:
* What is the security return on investment?
* What is the probability of a catastrophic security failure?
* What is the cost of self-insuring against security risks?
* What are the tangible benefits of being an industry leader for
To help IT professionals talk to CEOs about security issues, a newly
formed think tank called the Security Leadership Institute, sponsored
by Unisys Corp., has conducted in-depth interviews with CEOs and board
members. Board members of the institute (including myself) --
recognized security experts from business and government --
interviewed more than 25 CEOs and public-sector agency chiefs,
focusing on what they think the value proposition of security is to
their enterprise. We believe that the results from our work will help
IT professionals make the case for the many benefits that can be
realized from a more robust investment in security.
What We Learned
Most CEOs interviewed in our study viewed both physical and
information security as purely tactical, rather than as a strategic
imperative. In their minds, security means either protection of assets
or prevention of IT-related risks, such as hacking attacks and other
cybercrime. Some CEOs viewed security as an element of a larger
business risk-management process. In almost all cases, though, CEOs in
the private and public sectors did not embrace security as something
directly related to corporate mission or strategy.
In short, the CEO perspective was consistent with what we already
knew. That is, they view security as an operating necessity, not as a
business opportunity or marketplace advantage. The following are a few
of the comments these leaders made when asked to explain, in their own
words, the value proposition of security:
* Security is all about preventing bad behavior from affecting our
* The only value of security is the prevention or fast detection of a
breach or violation.
* There is no real value in becoming the industry leader or exemplar
* Too much security and a control orientation will prevent our
organization from taking justifiable risks.
* Most security technologies don't work and are a waste of time and
resources for our company.
* Security spending is a pure cost of compliance.
* Security is best handled as a middle management responsibility.
* Most security problems occur because of sloppy internal procedures
rather than poor IT controls and safeguards.
Despite the consistently nonstrategic tone of the responses, we
decided to probe further based on our gut instinct that there was
something more to learn. We believed that CEOs understood the
consequences of bad security practices but couldn't quite articulate
the value proposition of good security. So we asked questions that
focused on outcomes or consequences of maintaining a secure
The Trust Factor
The answers to those additional questions revealed that CEOs fully
acknowledge the value of having a secure environment as a way to
protect brand and reputation. In their minds, superior IT and physical
security practices are necessary to achieve organizational
trustworthiness in the eyes of key stakeholders.
According to our interviewees, organizations that do it "right" in
reaching a high trust status achieve real advantages, such as employee
productivity, customer loyalty, product or service innovation, reduced
failure and decreased compliance risks.
We asked them to define what they would consider to be a trusted
enterprise. The definition below is based on common themes that
emerged from our discussions.
"The trusted enterprise is an organization embracing a set of
corporate values and behaviors that guide all business practices.
It is a highly ethical organization that treats its customers,
employees, partners and shareholders with respect and stewardship.
The CEO and board are deeply engaged in managing the organization's
operating risk in a way that delivers maximum value in a safe and
We collected several interesting case histories from CEOs that help
explain their view of the benefits of becoming a trusted enterprise.
Here are just two examples:
* A regional hospital is investing heavily in technology to increase
facility security and protect its patients, particularly infants. It
recently implemented a wireless solution to track employee movement
within the hospital. Although there were initial concerns from
nurses that tracking would be used as a tool to measure productivity
surreptitiously, they soon discovered the real benefits. Not only
did patients and newborns' parents gain greater security and peace
of mind; the messaging capabilities also allowed more mature
patients to communicate their care needs directly to their nurses
rather than through room-to-room paging systems. Nurses found that
the tool helped them deliver superior patient care.
* A Canadian technology company working to comply with U.S. Department
of Justice security requirements discovered the unintended benefits
of speed and operational excellence. As they sought to meet security and
network availability requirements, they developed new processes and
applications that reduced their computer restore and repair time
from a day to minutes. They are now exploring packaging these
applications to create a new set of products and services to offer
Becoming a Trusted Enterprise
So, what does it take to become a trusted enterprise? First, according
to the CEOs, a trusted enterprise manages its security
responsibilities in a more holistic way than less trusted ones. For
example, trusted organizations are more likely to integrate security
into core business processes and to establish oversight and governance
through cross-functional teams that span the entire enterprise.
Second, they know it is important to have a highly secure environment
to protect brand and image in the marketplace. For example, trusted
organizations are more likely to have implemented IT resilience to
endure attacks by malicious employees or hackers.
According to CEOs, the trusted enterprise achieves harmony between
security and business goals by pursuing four basic operating
* Proactive management of operational risks, such as security and
internal controls, by paying close attention to early indicators of
problems that might diminish the entity's brand or reputation in the
* Transparency in core operating practices, especially those
concerning the ethical use and sharing of sensitive or confidential
* CEO and board understanding of the organization's risk profile,
providing executive-level support and necessary resources to achieve
* Compliance-savvy culture, with clear accountabilities for security
and control promoted and vigorously monitored throughout the
If you find it hard to talk security with your CEO, here are five
issues with potential business impact that resonate with top
executives and could be excellent points to include at your next
1. We need to stay ahead of the curve on new and emerging regulatory
2. We will aim to have fewer network security breaches and downtime
from network failure.
3. Our programs will provide better control over assets and our
4. We will empower employees to understand their responsibility in
creating a secure workplace.
5. We will create a culture that respects the importance of protecting
information entrusted to the company's care.
While security may not be a top-of-mind consideration for senior
executives, the Security Leadership Institute's research indicates
that trust will get their attention. We now believe that CEOs really
can see the need to incorporate security as a foundation for their
Dr. Larry Ponemon is chairman of Ponemon Institute, a think tank in
Tucson, Ariz., dedicated to ethical information management practices
and research. Ponemon is an adjunct professor of ethics and privacy at
Carnegie Mellon University's CIO Institute and is a CyLab faculty
member. He can be reached at larry at ponemon.org.
More information about the ISN