Published: 01 Sep 2003
Picture yourself, as CISO, standing before two doors marked "Damned If You Do" and "Damned If You Don't," a pitchfork at your back prodding you to choose. CXOs and their boards of directors face the same kinds of choices -- balancing the cost of infosecurity against the risks.
As CISO, you not only have to choose the right door, you need to make sure that the message gets through to your company's board of directors. Knowing how they think is essential to ensure that infosecurity maintains a high profile.
Today's directors live in a harsher world than their predecessors. They're swimming in the backwash of Enron, WorldCom, Global Crossing, etc. Regulatory compliance is very much on their minds. Directors don't want to be "SarbOxed" -- failing to meet Sarbanes-Oxley Act obligations for fiduciary clarity and truthfulness on the part of officers and directors.
Nevertheless, you may face an uphill battle selling infosecurity to the board. Audit and infosecurity are both essential to corporate compliance with laws and regulations and to the continued financial health of the corporation. However, board members are more comfortable with the role of IT audit than infosecurity, the occasional spectacular failure (think Arthur Andersen) notwithstanding. Boards don't care about "good security," the adage goes, they care about "good enough security." Infosecurity is less clearly defined than audit, with fewer standards, and a limited set of requirements. Demonstrable return on security investment is, to say the least, elusive.
That makes your job tougher. You need to understand what directors are concerned with and develop a strategy to sell the message that infosecurity is critical. We'll talk about that strategy in three broad steps that will help put you and your board in sync.
Step 1: Know Your CEO
Depending on your organization's reporting structure, chances are the CEO is the one who will deliver the infosecurity message to the board. He or she, in turn, gets the message from you. Win the heart and mind of your CEO and, hence, the board. Here's how:
Make sure you have a regular forum for discussing infosecurity. If possible, hold regular one-on-one meetings. These are your opportunities to keep the CEO up to date on your company's major risks and protective measures. You'll also want to keep him or her current on laws and regulations that can affect your enterprise.
Be opportunistic.CEOs are very selective about what they present to the board and make a special effort to anticipate what might be on their minds. You can take advantage of this to put infosecurity on the agenda. For example, a well-publicized computer crime, abuse or mishap is bound to have their attention. That's a golden opportunity to encourage your CEO to update the board on your company's security posture and perhaps push key initiatives.
You can do the same with incidents within your own organization. For example, when I was briefing a CEO on the state of his organization's infosecurity, he became very angry when I mentioned several incidents I'd learned about.
"If I find that anyone has stolen from this company, I want that S.O.B thrown into prison," he said. "I don't care who they are. They cannot steal from the shareholders." I immediately responded that this wasn't the kind of message that I was hearing from too many other CEOs and suggested that his board, as well as his direct reports, would be interested in hearing it as well.
Raise your infosecurity profile outside your corporation. This can put some muscle behind your message. Stress issues that you want your officers and directors to hear. Then send copies of your presentations or articles with a request that your CEO distribute these to board members.
Point out how good infosecurity can be a value-add for your company. Strong security can be a selling point. If you're a financial institution, for example, you can promote your security posture as a selling point to potential customers.
Use well-accepted techniques of finance and decision science to justify infosecurity investments. Business executives spend money based on ROI, and may not react well to the old approach -- playing on unquantified, albeit very real, fears. It's not always easy -- the available solutions often don't lend themselves to a by-the-numbers analysis -- but your best shot is to present an objective and quantified estimate of the returns on infosecurity investments.
Step 2: Get a Board's-Eye View
All boards have purview over infosecurity, but not all deal with it in the same way. Find out where the responsibility for infosecurity falls within your board structure. For example, if it's an audit committee responsibility, a friendly discussion with the CFO and/or audit director could give you excellent insight on how best to approach the board. You might even be asked to brief the committee on the company's information controls.
One helpful strategy is to get to know your corporate attorney. You can learn how to secure information in a legally appropriate manner, and your counsel will learn about the complexities of infosecurity, how your organization meets (or doesn't meet) essential security measures, and the growing literature on computer risk. Your corporate attorney will see you as a valuable resource, who can serve senior managers as well as the directors.
While infosecurity is crucial to the company's future, it's in competition with other critical priorities for the board's attention -- like making the next quarter's numbers. You can use this to your advantage. Demonstrate that a major computer breach could mean that next quarter's numbers may be considerably lower.
Increasingly, boards are receiving guidance documents and executive briefings about infosecurity from such organizations as the Information Systems Audit and Control Foundation (ISACF), the Directors Roundtable, the Institute of Internal Auditors, the Bank for International Settlements (Basel II Accord) and the National Association of Corporate Directors. These documents speak the directors' language -- it should be your language as well. They underscore the director-level view that infosecurity is a governance issue, seen as a subset of organizational risk. The ISACF report, for example, emphasizes that infosecurity governance should deliver four basic outcomes: strategic alignment, value delivery, risk management and performance measurement.
These documents also cover industry best practices and infosecurity governance. Anticipate that these matters may come up at a board meeting and brief your CEO accordingly.
In this way, you can link the changes that you have planned or implemented to what board members are increasingly understanding as their responsibility. Talk about how you are developing a new vision of the charter of corporate security, where security is everybody's responsibility. Emphasize how infosecurity is a service that helps business leaders succeed and contributes to productivity, profitability and growth. That's a message to gladden the heart of any board member.
Step 3: The Infosecurity Message
As you develop and implement your strategies to communicate and sell the infosecurity message to your directors, reinforce three themes that should resonate in the boardroom:
Information security may be the major corporate risk. It's almost impossible to commit a financial, economic, white-collar crime in a corporation today without using a computer. That means that the robustness of your company's safeguards over computerized transactions will directly affect other key risks. Information may be the strategic asset; therefore, information protection becomes a critical business issue. Inadequate info-security translates into computer crime, reduced profits, loss of market share and damage to your company's reputation.
Information protection is now mandatory. Laws, regulations, insurance requirements and shareholder expectations now make information protection a business requirement. Consider the recent California law (CA 1386) -- and similar proposed federal legislation -- requiring the notification of individuals whose personal information may have been revealed. Senior managers and directors find themselves in a new legal jungle in which laws like Gramm-Leach-Bliley and Sarbanes-Oxley hold them accountable. Even the Federal Trade Commission (FTC) has gotten into the act recently by citing a company for not having the level of infosecurity claimed on its Web site. The FTC warns that it's looking for other instances in which it might require adoption of a comprehensive security program.
Executives and directors now are the official owners of information protection. Senior managers and board members can't push this problem off to others. They now own the information protection problem.
While many board members understand their personal liabilities in the post-Enron era, they may not be prepared to become chief corporate cops. Relatively few know how to determine whether the corporation is in a good legal position and that they and senior executives are protected.
Once, I consulted with a financial organization and asked senior executives to give me an estimate of the extent of computer fraud in their company. The answer from every one of them was $10 million. They all quickly added that since business profits were so good, the estimated loss was "a nit" -- no big deal. The CEO echoed their words. I kept thinking that directors, shareholders and SEC officials would not be so blasé?
Your directors should know the new facts of life about crime and punishment. Sarbanes-Oxley, for example, has criminal as well as civil sanctions to assure compliance. Judges are sentencing white-collar criminals to longer terms -- hard time, not in "country club" jails.
The key to your success will rest upon building a strong relationship with your directors through the CEO and other key corporate officers. In the final analysis, perhaps the point isn't really to think like a director. It's to make sure everyone is thinking along the same lines and has a shared vision of corporate security.
About the author:
Sanford Sherizen is a Massachusetts-based infosecurity consultant.