CEOs may never, and should not, be experts in IT security, but they need to be more aware about information security and governance to aid decision-making, according to industry observers.
A recent study by Ponemon Institute showed that CEOs and senior executives hold differing views on corporate IT security posture. Commissioned by Ounce Labs, the survey of over 200 executives revealed that CEOs were more confident than other C-level executives, that a data breach can be avoided. Compared to other respondents, they were also less aware of data breach incidents.
To expect information security, IT infrastructure governance and other IT issues to be on top of the CEO's agenda is...like [having] a football team where everyone just follows the ball all the time instead of a well-structured team [manning] designated positions.
Nariman Karimi, DHL Express Asia-Pacific
Nariman Karimi, senior vice president and CIO of DHL Express Asia-Pacific, told ZDNet Asia in an e-mail interview that the fundamental roles of the CEO and Board executives, make it difficult for IT security to be their top priority.
"CEOs...are more pre-occupied with the normal day to day operation of the business along the lines of enrolling new customers or accounts, launching new products and services and maintaining and gaining market share," he noted. "Information security although important for the business, is not at the top of their daily agenda--frankly, nor should it be [as there are experts for the role]."
Narimi continued: "To expect information security, IT infrastructure governance and other IT issues to be on top of the CEO's agenda is...like [having] a football team where everyone just follows the ball all the time instead of a well-structured team [manning] designated positions," added Narimi.
Tips on helping C-level assess security right
1. Break the topic down to relevant elements specific to your organization, and break it further down to elements that the board can do something about--avoid heaving the whole information security topic on everyone's plate. Be clear on what you need from C-level and Board executives, that no one else can provide.
2. Take ownership of the elements that need to be and are covered by IT already. Show which vulnerabilities are already covered so that they have a realistic and holistic picture of what the company's security status is. Clarify IT's role and show that you are not a detached observer of the business game! Be a team player and cover a patch.
3. Make the presentation relevant and tailored to your company, market and nature of operation--generic statistics and graphs that lump banks and cement factories, or multinationals and local businesses, to show "average-dedicated-resources-needed-for security" are likely to alienate.
4. Put the investment needed in the context of "real" stakes--having voice recognition and figure print technologies to authenticate systems which at worst would incur a few thousand dollars' worth of damage, is probably an overkill.
Chief executives' definition of security, he added, is typically associated with hackers trying to steal company secrets, rather than a broader spectrum that includes disaster recovery, erroneous data input or denial-of-service. CIOs and security chiefs, on the other hand, have a wide-ranging understanding of the threat landscape.
CEOs also have a natural tendency to be "optimistic about capabilities rather than guarded", he explained. "Most CEOs and other board members are externally focused--they spend the majority of their time advertising the capabilities of the company externally to customers, [which has a positive impact on] their views of internal capabilities."
Edison Yu, industry analyst for Asia-Pacific ICT practice at Frost & Sullivan, added that CEOs do not have KPIs (key performance indicators) relating to the IT security posture of their organizations. "As a result, it is inevitable for CEOs to be more generous in giving their security systems the thumbs-up, as compared to CIOs or CSOs who are more cautious.
CEOs, he noted in an e-mail, may also assess their corporate security entirely based on their security spending, believing that as long as they keep up spending levels, their organization would be adequately protected.
IT and security heads also "have not done a good job" in convincing their CEOs the ROI for security, noted Yu. IT security is still very much perceived as a cost, rather than an investment these days.
"Disparity between a CEO or CFO, and CIO or CSO is natural and probably inevitable in an organization," he said. "At the end of the day...there is definitely a strong rationale for CEOs to be inculcated with the mindset that security can be a form of business risk or business enabler.
The key, he pointed out, is to build up a level of "healthy tension" between two parties who possess adequate levels of knowledge in order to make informed decisions.
Gerry Chng, partner of advisory services at Ernst & Young, pointed out that on the whole, business owners and senior executives increasingly recognize that more needs to be done to protect corporate information. Heavy investment in security infrastructure and processes, however, may not necessarily address key information security needs of business owners.
"The disconnect seems to arise from the fact that IT is typically managed by technologists, who place emphasis on relying on technology to solve security issues," Chng said in an e-mail. "Over the years, we have seen the obsession with hype on technology, where IT tries to secure the infrastructure and tangible assets, [such as] data centers, servers [and] databases."
"What the industry has generally missed is that it is the business information that should be protected, and not the physical assets that is used to store, process, or transmit the information," he noted.
Ultimately, DHL Express' Karimi pointed out, everyone in an organization needs to play a part in maintaining its IT security posture.
IT should avoid becoming the "policeman" and by being so overly-protective absolve all others of any responsibility for their information," he said. "We secure networks; however in the average bin of the photocopying room there are many company secrets waiting to be picked up."