What We Learned About Security in 2009
2009 was a tumultuous year for the country, the economy, and for many information security programs and professionals. Although Forrester’s Andy Jacquith (Twitter @arj) surveyed security practitioners in March and came to the conclusion that three out of four programs had not been cut, my own experience talking with colleagues and clients over the year has been different. Many organizations have severely cut back, decided not to fill open positions, or otherwise limited financial resources that might otherwise have been available to information security functions. There’s nothing wrong with this; organizations and economies ebb and flow and practitioners and leaders in information security need to be ready for the inevitable cutbacks, just as they prepare for and advocate for the important new initiatives.
But we did learn something very important about information security in 2009. How firms and their senior leaders internalize risk and make decisions about risk was in many important ways laid open to public view in 2009 in a way that has never before been possible. When discussing risk management programs in the past, I’ve always pointed to the financial industry with its chief risk officers, chief investment officers (the other “CIO”) and generally sober and serious approach to all things risk including audit and compliance, as the paradigm for risk management. But in 2009 we found out that was not necessarily true. Senior managers throughout the financial industry made risky decisions, “bet the farm,” and otherwise increased their firm’s exposure way beyond the levels of risk typically underwritten by information security departments, and did so in the face of clear evidence (now me with 20/20 hindsight, I admit) that a crushing downturn was coming. Several senior leaders are no longer in their positions now in part because of the fallout of these decisions and the general leadership style that ignored or winked at this risky orientation. And all of this against a backdrop of what has been argued are unjustifiable compensation packages given the poor performance of many financial institutions (car companies, too) and the resultant taxpayer bailouts that took place.
What wisdom should we take from this? I believe information security professionals have been given some of the best data points yet available about how firms and senior executives are likely to internalize risk that affects their organizations and their organizations major stakeholders. This should influence how we communicate about information security risks and other risks inherent in the information technology function. Many senior executives were paid for taking too much risk – and paid very very well for it. The upshot of the mortgage meltdown, credit crisis, and resultant economic malaise is that unless organizations change dramatically, a risk-based approach to persuading business leaders about the advisability of implementing new information security controls and tools is less relevant and less likely to succeed than ever before. In short, it’s not enough to frighten them about the implications of the big breach or the potential expense of a forced remedial compliance effort after some other security incident. How well senior leaders behave on security and other technology risks – which are far more esoteric and difficult to estimate than the kinds of financial risks that have brought down some of Wall Street’s biggest names — is likely to be even more freewheeling with corporate resources than ever before. I reiterate that this conclusion depends on a general continuation of the trend toward more aggressive risk-taking with company resources. If something happens to change the culture of how organizations view risk and accept risk on behalf of the firm, its shareholders and other major stakeholder groups, this could turn out to be an incorrect conclusion. However, there is no evidence whatsoever that the incentives for taking excessive risk have lessened nor do we see increases in the penalties and disincentives for taking too much risk or for bearing the inevitable losses that will take place with too much risk. No, it will become easier – not harder — for managers to say “we can’t afford that level of security,” or to say, “We’ll run noncompliant for another year and see what happens,” after you present the implications of not being compliant with PCI again this year. There is simply nothing to counterbalance the tendency for organizations to take too much risk and let others underwrite the losses. In fact, what used to be “career limiting decisions” in the vein of accepting too much risk are now clearly in the realm of “moral hazard.” Top executives make so much money today that if something bad happens on their watch, they simply retire and go into consulting. Or maybe someone will bail them out, too. The millions they’ve been paid in cash and options will more than easily sustain a comfortable retirement even for the yachting crowd. And about those “clawbacks” (of excessive compensation) we’ve heard about, the inevitable litigation will likely be almost as painful and the losses themselves, so we won’t see many of those either.
As a profession, information security must get better at defining and quantifying the risks inherent in not attending to information risk management. Simultaneously, we must continue to shift the emphasis from a risk-based justification for info security to a revenue-based justification. If the 1990s were years of “information security enabling the business,” then the decade just completed has been about learning that enablement wasn’t enough. And the decade to come will be the one in which information security managers will be forced to take their place among those who generate revenue for the business and in so doing closely align information security with the products, services and customers of the company.
I’ve always advocated that information security managers keep a fresh copy of their resume at home. This is less humorous than it used to be. Information security managers are increasingly the “designated scapegoats,” for the kinds of breaches and losses that are all too frequently occurring in IT today. But if there continue to be no real barriers to the moral hazards of accepting too much risk on behalf of shareholders, and senior executives continued to be paid handsomely for short-term revenue, profits, and stock price objectives, then selling security based on risk alone will become “old hat” this year.
Here’s to a new year filled with new assurances that the vital information we manage is well protected against the increasing threats to it. With that I know we’ll all have a very Happy New Year in 2010.