Alignment is one key to long-term security success
Many information security programs are languishing on a plateau or a mild downward trend when viewed from the perspective of budget and resource allocation. There are many reasons this is true but one of the most important ones is a congenital lack of alignment between the information security program and the overall business. Simply stated, if security is not viewed as part of the top line success of any organization, it’s just another cost to be minimized. And as infosec leaders know all too well, there are plenty of people inside the corporate organization who know how to drive costs down ruthlessly.
eBay Pres. and CEO John Donahoe told Maria Bartiromo, anchor of CNBC’s “Closing Bell with Maria Bartiromo” (segment aired at 1:17pm ET Friday, September 18) that eBay is “significantly safer today than it was 18 months ago,” and went on to correlate that fact with overall growth in eBay customer satisfaction. This is a classic example of alignment. I haven’t talked to CISO Dave Cullinane about this, and quite frankly he’d probably say “no comment” but that statement coming from the CEO in a live interview with a cable news anchor is like gold. It illustrates that Cullinane and his program are supremely aligned with the business at eBay. EBay has identified safety as one of the critical factors that matters to its customers and has determined to increase safety — along with other key factors — as a key part of its competitive strategy. People everywhere regard the Internet as a somewhat unsafe place to do business. All manner of annoyances and other issues threaten anyone who wishes to purchase something, sell something, perform online banking, or in any other way to conduct business on the Internet. Rather removed from this concern is the whole realm of messaging. Remember that e-mail predates the Internet in its application and use within private enterprise. And while e-mail is still fraught with difficulties such as spam and phishing, people have developed coping mechanisms and there are excellent enterprise tools for dealing with these issues such that e-mail is now a trusted and routine part of doing business by enterprises today. On the other hand, commercial transactions are quite a bit behind e-mail in terms of how the broad swath of potential consumers perceives its safety.
When Donahoe takes a few seconds of his precious on-air time to bring up the question of safety on eBay — it was not a question or an issue brought up by the reporter — he signals that not only has eBay identified safety as a problem they must solve in terms of customer perception, but that eBay believes it has established competitive advantage in this arena and is willing to say so publicly. There is simply no better indication of alignment between an information security program and major enterprise strategy than that.
Now, if Cullinane went on air and said “eBay is safer now than it was before” he would probably be criticized for boasting or challenging the bad guys to attack eBay or eBay customers. That is the lot of the information security leader: you must remain a paranoiac at all times. But I also know that eBay’s information security department aggressively identifies and measures relevant metrics about all aspects of its business. I saw a presentation by Caroline Wong – eBay’s very capable Information Security Chief of Staff & Manager of Metrics around the time of RSA this year that made it quite clear that alignment with the business is a central topic within eBay Information Security. Judging from today’s quote by CEO Donahoe, eBay is well on its way to liberating the information security function from the purgatory of perpetual cost control.
Does your CEO identify information security as part of the top line success of your business? If not, why not? Of course, alignment does not guarantee continuously upward sloping budget allocations. In fact, alignment might actually lead to decentralization of information security as various other parts of the business assume direct responsibility for functions that are usually managed within the information security department. But there are certain people who get to eat at the grown-ups table when it comes time to plan corporate strategy and allocate resources accordingly: people who directly influence the top line of the corporation. I really hope Dave Cullinane and his staff enjoy the meal!