why execs and security seem to be behind the curve

Posted on by michael

When you can get a report on the attitudes of 213 execs in regards to security, you definitely have to check it out. Sadly, the report is only open if you pay, but Dark Reading has a quick synopsis of it. The synopsis takes a look at why execs are not taking security more seriously.
I love their first conclusion that most execs see security as an operational function (part of facilities) and not a strategic one. Far too often (either due to perception, lack of taking responsibility, or just execs not even knowing their own role) no one thinks about what the true purpose of a CEO is. CEO duties should be strategic, and as such, they do not want to deal with mere operational trivialities. Those are rightly delegated down to upper level managers and such. Some small-medium companies have CEOs that tend to meddle in both areas (especially when that person holds multiple titles like CEO and President), but this should always be evaluated: Where should the buck truly stop for non-strategic issues in a company? Who is signing off on operational budgets? Unless the company purpose is in security or some other critical infrastructure that depends on computer systems, the buck will stop lower than exec levels.
Some other reasons posed: security managers tend to be separate from other business managers which in turn gives them few allies to leverage budgets and attention. They don’t know how to align to business objectives.
Execs see security only under certain circumstances, with their main motivators being: meeting government and other regulations, protecting confidential information (I bet that refers to internal company information and IP as opposed to customer data), and business continuity.
What can security managers do? They can reach out to the rest of the business. They can pair up with risk managers. They can get more face time with managers so that they can get some allies to align to their initiatives. They can create metrics that execs can understand so they can get budgets to do what they need to do (e.g cost of business interruptions, vulnerability assessments, and industry benchmarks). The big theme here is to align with other business managers.
One thing this report on the research does not touch on is something I think could help as well. Security is almost always seen as a punishment vehicle, where freedoms of managers and employees are limited a bit more. Most people think they would rather be free of constraints (security function) as opposed to governed by them (oddly, I think most people thrive best under constraints and are lost like sheep without fences when given free reign). This means security is seen as a negative money sink that keeps slapping their hands when they want to do things or make money. Really, few people like security. And when they are indifferent, they are usually just denying what can happen (for instance, we all know how easy it is to have our house broken into, but we don’t buy alarm systems because that is an overt acknowledgement that we could be broken into; by not buying the alarm system, we subconsiously pretend it is not a problem to worry about…denial).
I feel that security could best be aligned with IT functions (or be integrated deeply into IT functions) or with financial functions. Having a very separated security entity, I bet, can be a very isolated feeling in a company.
Thankfully, I am not a manager, nor do I expect to be one for at least another 5-8 years and all of this is just more information in my head to try and keep an eye on the big picture.