Chapter 6. A Matter of Governance: Taking Security to the Board

IT security has evolved markedly from its early roots as a tool that perfunctorily protected an organization and its assets. Attacks cause greater collateral damage today, and attackers themselves can just as easily reside within an organization’s walls as outside of them. Worse yet, inadvertent attacks caused by sloppy or careless employees can be just as damaging to a company as those perpetrated by persons with ill intent.

The argument for enhancing security in any organization should not stray from basic financial analyses that are fundamental to all investments a company can consider. Return on investment (ROI) modeling is critical to ensure that investments bring value, regardless of how indirect that value might be. The value proposition of enhanced security is that it can aid in ensuring the long-term viability of a business by allowing an organization to concentrate on its core mandate, with fewer unnecessary, and potentially debilitating, distractions.

This book was written to address a number of distinct challenges. IT managers need tools to create a sound business case for security investing, including a process to better understand their organizations, an effective path to garner support, and ultimately, a financial model that could illustrate necessary returns. Senior executives need a forum in which technical terms are presented in an accessible format and in which security issues are discussed in business terms. This chapter has a markedly different mandate; it addresses an organization’s senior executives and board members. The discussion explores corporate governance and the softer issues of security deployment by attempting to ascertain the true ROI of investing in security, namely, return on prevention (ROP).

This chapter covers the following topics:

• Security—a governance issue

• Directing security initiatives

• Establishing a secure culture

• Involving the board

Security—A Governance Issue

Proposals of any kind, security investments being no exception, demand the inclusion of certain fundamental components: Cost–benefit analyses need to be performed, metrics need to be put in place, and value propositions need to be clarified to ensure that expenditures are necessary and that returns are both positive and measurable. IT managers must justify all investment proposals appropriately, using the tools in this book to guide them through the process, but that is only part of the equation. After the necessary data has been compiled, the decision to invest in greater levels of security moves beyond sheer financial modeling. The wider implications inherent in return-on-security investing require executives and members of the board to consider the softer and less quantifiable issues that are pertinent to every organization. For ultimately, security investing represents an active business decision that expresses an organization’s tolerance for risk, cyber or otherwise.

In a speech at the National Cyber Security Summit in December 2003, Secretary Tom Ridge of the Department for Homeland Security acknowledged that in the first six months of 2003, more than 76,000 incidents had already occurred, many the result of hackers just going about their work. Expanding on that thought, he said, "A few lines of code could ultimately wreak as much havoc as a handful of bombs.” The issues are very real; the challenge facing investment proposals is keeping alarmism out of the equation when determining a value for events not happening. Governments globally can create measures to protect both hard and soft structures, but much of the cyber-world rests in the private domain.

Secretary Ridge amplified this thought in his address when he stated, "Eighty-five percent of our nation’s critical infrastructure, including the cyber-network that controls it, is owned and operated by the private sector. We need businesses … to lead the way.” He went on to say, the "success of protecting our cyberspace depends on the investment and commitment of each … business.”¹ Security governance requires organizations to take a broader perspective, understanding that the more successful a security investment is, the less visible and less measurable its results will be.

Directing Security Initiatives

Developing corporate security initiatives that can effectively permeate every sector of an organization requires leaders and members of the board to embrace a culture that leads by example. This section considers the following topics:

• Steering committee

• Leading the way

Steering Committee

The establishment of an executive-level steering committee is discussed in the preceding chapter. Comprising senior managers culled from an organization’s varied departments, the steering committee should be responsible for the following items:

• Vet all security-related issues, plans, and proposals

• Determine the necessity and viability of each proposal, including the following:

– Security requirements addressed

– Business justification

– Payback period

– Softer and less quantifiable sociopolitical concerns

• Guide, implement, review, and renew security initiatives

• Balance system functional requirements against business requirements

• Ensure that measures are consistent with the organization’s tolerance for risk

• Be the drivers of a security establishment within their own domains

• Ensure that all departments and all personnel are duly represented by the committee

• Report directly to the CEO, and through him or her, to the board

The establishment of a security steering committee can bring unexpected results, as discussed in Chapter 5, "Policy, Personnel, and Equipment as Security Enablers.” Most importantly, it gathers under one umbrella an organization’s most senior executives and relies on them to deliver comprehensive security leadership. Serving on the committee ensures each member’s acknowledgement, understanding, and acceptance of the policy and the commitment that they can effectively implement the policy within their own departments. Most relevant, the active involvement of senior executives ensures that the ultimate responsibility for the program rests with them.

Steering committee members are in a unique position to appreciate the impact that emerging threats can have on all aspects of an organization. They can determine a response that is commensurate with the corporation’s tolerance for risk and, with confidence, advise the CEO and the board on the most prudent course of action.

Leading the Way

Decentralized policy enforcement is critical to the success of many corporate plans, as employees need to feel a sense of entrepreneurship and empowerment to successfully achieve their goals. But specific policies that form the underbelly of an organization typically require a linear top-down approach to ensure successful implementation.

Most employees understand the significance of enhanced security. If pressed, they would probably acknowledge that serious threats could exist almost anywhere, even within their own workplace. But acknowledging threats and performing personal acts to mitigate those threats can be challenging acts to perform in tandem. Newly established directives can command staff to perform certain functions, but human nature suggests that unless employees can bear witness to others actively complying with the rules—in particular, management—it is unlikely that the initiatives will be adhered to over the long term.

Organizations have a number of avenues to ensure that security is a fundamental component of every position in the corporation. At the top of every statement of work or job description, required security activities can be clearly outlined, ensuring that every employee understands and accepts what is expected of him or her upon joining the organization. EVPs should be training VPs, VPs should be training managers, managers should be training supervisors and supervisors should be training direct reports—all the way to the board—ensuring that expectations are created at every level and that there is no misconception as to what is expected. The tone can be established at the outset, beginning at the highest levels of an organization.

Continuous attention to IT security is crucial. Chapter 11, "Security Is a Living Process,” discusses the concept of a security wheel, which an organization can use to ensure that its policies are continually monitored, tested, improved, reengineered, and renewed.

Establishing a Secure Culture

The process of developing a secure environment seems relatively straightforward on the surface: The organization establishes a governing security council in the form of a security committee, policy workshops establish rules and procedures, equipment lays the physical foundation for a secure structure, and employees work diligently to implement all that was laid out before them. But the establishment of a secure culture requires select components that are fundamentally more comprehensive than those stated. Senior executives, along with members of the board, must infuse the program into each of the organization’s dealings by doing the following things:

• Securing the physical business

• Securing business relationships

• Securing the homeland

Securing the Physical Business

Enhanced security operates preventatively, minimizing potential distractions by proactively addressing potential vulnerabilities. Enhanced security can aid organizations in the following ways:

• Securing against attacks, whether intentional or inadvertent

• Protecting its revenue stream, from loss of unnecessary downtime to loss of revenue

• Safekeeping proprietary and classified information, from trade secrets to databases

• Establishing an equipment implementation road map to address long-term security planning

• Ensuring that independent divisions and remote offices comply with corporate security directives, including the implementation of similar security policies and reporting structures

• Implementing content-managing programs, such as URL filtering, that can control Internet access and manage content flow on a corporate network

• Creating an overall Triple-I program, as follows:

– Initiate a comprehensive security policy program that focuses on continual renewal

– Implement the comprehensive security policy program systematically throughout the organization

– Instill in every executive, department leader, manager, and employee that he or she is an integral component of the security initiative

In essence, developing a structure that incorporates security into the business model can aid the firm in fully acknowledging its reliance on IT, compelling it to address the risks inherent in that reliance while ensuring that it acts in a manner that befits the firm’s tolerance for said risk.

Securing Business Relationships

Simply informing staff that precautions must be taken when performing everyday tasks is sometimes not enough. Many employees need to understand the implications of under-security, be it equipment or user related. Similarly, business partners must be aware that enhanced security is in place and, equally important, that security is implicit in all intercompany dealings.

This section explores the following topics:

• Engaging the workforce to better solidify security and build effective relationships

• Creating a sense of security

Engaging the Workforce to Better Solidify Security and Build Effective Relationships

An organization should engage its work force, both managers and individual employees, in fundamental discussions concerning the ever-increasing need for greater security. Depending on an organization’s end product, certain staff members might have the misguided impression that an organization could do no wrong in the eyes of its customers or, even if it did, customers had few or limited options.

The reality is that customers, clients, suppliers, partners, and associates typically have a multitude of sources and outlets. Should company A, for example, fail to implement appropriate cyber-security measures, those firms with which company A has business dealings can experience a heightened sense of vulnerability. Concern might stem from the premise that company A’s under-security could pose an unacceptable level of risk, or even potential breach of trust, for its partners. The resultant negative implications could necessitate the severing of ties, regardless of how close a business relationship might once have been.

Employees who recognize the role they can play in helping to better secure the organization every day can naturally help to convey a greater sense of security’s priority to an organization’s customers, partners, suppliers, and associates.

Creating a Sense of Security

If a company uses a DMZ server to accept purchase orders, as an example, its customers should be able to implicitly trust the organization’s ability to protect financial data, ordering information, or any other pertinent correspondence between buyer and seller. Customers understand, albeit only fleetingly, when DMZ servers are momentarily unavailable, but their empathy quickly dissipates when the waiting time to reconnect is too long or if they suspect that information they readily shared was compromised. Should the latter have occurred and a customer believes he can substantiate a case for possible negligence, under-security could pose a more serious threat. The issues of jurisprudence and negligence are more thoroughly explored in Chapter 11.

Organizations might initiate formal connections with other firms to efficiently feed a just-in-time production line, using supply-chain methodologies to move product to a line faster while reducing the amount of time raw goods must be maintained as work in progress (WIP). The need for greater efficiency drives most initiatives, but both sides of a partnership must have confidence that minimum acceptable security measures are in effect before trust, however fleeting it might be, is initiated.

Service level agreements (SLAs) can be used to ensure that certain minimum standards are formally in effect among customers, suppliers, and partners. Similarly, an Internet service provider (ISP) can demand that its customers maintain specific security levels before being allowed to connect, to ensure that the ISP and its other customers are not made unnecessarily vulnerable.

The weakest-link scenario is highly prevalent in this arena. Organizations choose to implement security measures that are relevant to their tolerance for risk, but without acknowledging the security practices of those partners and suppliers with whom they connect electronically, their substantial investment in security could be for naught. Business partners who choose to connect electronically with one another, through an extranet as an example, can inherit the other’s security posture. Either network is only as strong as the weakest link that exists on either side, because all system aspects, whether positive or negative, are potentially assumed whenever organizations join their systems.

Business transactions over the Internet are increasingly on the rise, resulting in organizations having long since abandoned the practice of operating in the equivalent of hermetically sealed environments. Organizations that can swiftly recognize potential weaknesses in partners with whom they are actively engaged in trust relationships can ensure that security diligence is always at the fore in preventatively addressing potential issues long before they can become true vulnerabilities.

Securing the Homeland

The homeland has grown to become synonymous with the country, but at its core, the homeland encompasses every person, partner, customer, supplier, company, policy, program, practice, and even equipment with which an organization comes into contact.

This section explores the following topics:

• Incident reporting

• Equipment path

• Acknowledging vulnerable points

Incident Reporting

It is often thought that the advent of mass media has brought about an increase in the level of urban crime. But the reality is that in many instances, misdeeds were simply getting reported more regularly; the actual numbers of incidents were not necessarily on the rise. While publicizing events can have the effect of stirring other individuals into performing similar acts, more often than not, an increase in raw numbers is simply a representation of people coming forward with their own stories of woe after having read about similar cases in the media. What might appear to be an epidemic are merely silenced victims speaking up. The public justice system might take notice, and certain measures might be enacted to deal with the so-called epidemic. Had individuals not come forward with their personal accounts, an issue might never have been recognized as being so prevalent across a community.

This scenario is analogous to organizations that are contending with cyber-crime today. It is incumbent upon every organization that has been knowingly targeted or infiltrated to report any incident to state, local, and federal officials and to organizations such as CERT. In the CSI/FBI Computer Crime and Security Survey, April 2004, only 34% of respondents admitted reporting cyber-attacks to law enforcement officials. While the number could be significantly higher, it is up markedly from 1996, when the Computer Security Institute started tracking such information. However, the insistence of executive management and the board is required to ensure that these numbers continue to rise.

Debate and policy discussions are occurring in political legislatures around the globe, as politicians attempt to combat the effects of cyber-crime. But every incident needs to be reported so that the epidemic of cyber-crime, should it be an epidemic, is addressed in an effective legislative manner. Without specific knowledge of every incident, governments are at a disadvantage when attempting to fashion legislation that is both viable and relevant.

There is a natural reticence to report cyber-crimes. Companies fear that competitors will sense vulnerability and that customers will fear for their own safety. The reality is that most organizations are equally vulnerable in many respects, and the more that cyber-crimes are publicized, the better it will ultimately be for all corporate users. Should a breach occur, competitors and customers will likely discover the breach at some point anyway, possibly at a most inopportune time. Being forthcoming when it occurs ensures that the company is not only a good net citizen, or netizen, but also under the auspices of the term, if you cannot hide it then feature it, with certain ingenuity from the marketing department, the negative event could be spun into a long-term positive gain.

In the end, it is incumbent upon executive management and the board to ensure that cyber-crime perpetrated on their organization is effectively reported to appropriate state, local, and federal officials. Delivering that message to all senior managers can ensure that the board’s need for cyber-security transparency is always respected.

Equipment Path

Developing a greater security structure is not a one-time expenditure. Even if the potential for attacks were markedly reduced, annual updates and training would still be part of every systems administrator’s job function. But the world is continually in flux, and unforeseen cyber-issues could occur at any time. The challenge facing system administrators, and the equipment they are responsible for, is ensuring that both themselves and the equipment are appropriately optimized to deal with any new threats in an effective manner.

An equipment road map, coupled with an organization’s desired security posture, as presented in Chapter 4, "Putting It All Together: Threats and Security Equipment,” can aid a company in its goal to effectively and preventatively protect itself. Ongoing training of system administrators and their alternates, along with a scheduled program of maintenance, product upgrades, and a path to determine the need for new product implementation, can help to keep organizations proactively protected.

As long as threats continue to exist and the amount of business transactions over the Internet continues to increase, the need to continually revisit security initiatives, both equipment and personnel, remains a top priority for organizations. It is up to executive management and the board to ensure that critical awareness is at the forefront of every user’s agenda.

Acknowledging Vulnerable Points

Many believe of late that organizations were becoming increasingly vulnerable to attacks from within their own operations, be they intentional or inadvertent. Organizations responded preventatively, ensuring that potential attackers who might have been residing comfortably within its walls were appropriately addressed. The release of the 2004 CSI/FBI survey² reveals that the gap between internal and external intrusions has narrowed and is now fairly split. The UK-PWC survey 2004³ reveals a marked difference, whereby 64% of large business respondents state that their worst breaches emanated from staff misuse of information systems. The differing experiences show that the issue is still quite fluid, and organizations would be well advised to remain on high alert against both internal and external potential vulnerabilities.

An organization can be well served by using independent security auditors to test and evaluate its security policy and practices. Similar to quality auditors, independent security analyses can check the aptness of internal policies and determine whether remote offices and organizational divisions are implementing the policies in a manner that is consistent with corporate expectation. It is important to note that security initiatives are similar to every other fundamental program in which a company might engage: Activities that must be carried out across an organization require executive and board involvement to ensure that they are effectively and consistently implemented.

Involving the Board

IT security is greater than the sum of its parts, having grown from a tool that proactively protects an organization to a process that involves risk management and corporate accountability. In light of rising levels of disruptive and misanthropic cyber-activity, executive management, along with members of the board, must become actively involved in the governance aspect of this most fundamental of investments.

This section considers the following topics:

• Examining the need for executive involvement

• Elements requiring executive participation

Examining the Need for Executive Involvement

The well-regarded CSI/FBI annual survey draws respondents from a wide cross section of industry and government in an attempt to bring awareness and a sense of urgency to IT and business executives.

The 2004 survey confirms that IT security–related issues are still highly prevalent—90% of respondents experienced breaches the preceding year. Nearly two-thirds of those 90% suffered greater than two attacks, and more than half of those respondents experienced in excess of ten breaches each. Financial losses stemming from the attacks were experienced by 80% of respondents, at an average cost of nearly $2 million per company.

The ground that is used in the formation of sound business arguments for enhanced security has shifted. No longer is the focus solely on what is technically possible and economically optimal. The discussion is now centered on less quantifiable components that include trust relationships, competitive advantage, and the hazards inherent in system unreliability, to mention a few. ROI modeling must still be performed to ensure that alarmism does not constitute the foundation of security business proposals. But the fear looms ever large, as reported judiciously in newspapers around the globe, that a lack of comprehensive security could spell untold disaster for organizations. While business reality is typically far removed from alarmism, the ever-present news coverage illustrates the cyber-security issues that are at play in the media today; it can be a challenge not to overreact—or underreact.

Organizations need to take a wider view of security. They need to fundamentally determine the level of risk they can tolerate and then make security infrastructure investments accordingly. Apportioning a percentage of the overall IT budget to security is no longer a viable option. While that process can be effective in determining the amount an organization might be willing to invest, it does not necessarily ensure the level of security a company might require.

Establishing a secure IT infrastructure requires technical and business executives to evaluate and quantify an organization’s critical assets, ascertain the risks to them now and in the future, and ultimately develop a security strategy that is consistent with the organization’s business requirements.

Consistent, reliable, and uninterrupted business operability is the root of the discussion. The process of ensuring that an organization is able to concentrate on its core business without suffering undue distractions at best, or critical loss of intangibles at worst, suggests strongly that an organization’s executive management must be actively engaged in determining the complete business case for network security.

Elements Requiring Executive Participation

Public companies are required to comply with stringent rules governing regulatory financial filings, making it incumbent upon organizations to ensure the verity of their financial statements. The sanctity of the data behind each entry on a financial statement must be above reproach. Certain ramifications of the Sarbanes-Oxley Act of 2002 (also known as The Public Company Accounting Reform and Investor Protection Act of 2002), including Section 404, the Management Assessment of Internal Controls, and relevant pieces of other legislation are explored in the jurisprudence section of Chapter 11.

It is important to note that legislation in and of itself does not alter an organization’s tolerance for risk. But various laws can encourage discussion across a wider range of concerns, including, but not limited to, the following items:

• Ensuring regulatory adherence, including the sanctity of financial reporting

• Addressing specific corporate and national homeland security concerns

• Buffeting business relationships with both customers and suppliers

• Using security to enhance corporate standing by addressing the following issues:

– Trust

– Reliability

– Perceived or potential vulnerability

Executive management can actively address governance concerns in a number of possible ways, including the following:

• Establishing the fundamentals of internal security policy, which are addressed in Chapter 5, "Policy, Personnel, and Equipment as Security Enablers,” and Chapter 10, "Essential Elements of Security Policy Development,” to ensure that policy is aligned with required expectations.

• Continually checking the pulse of the security program, as follows:

– Use third-party audits to assess a program’s continued relevance.

– Ensure that issues or recommendations reported by security auditors are appropriately handled.

– Determine whether current vulnerabilities are sufficiently recognized.

– Determine whether the program is set to proactively address unforeseen issues.

– Ensure that the company reviews its security posture against industry peers and best in class.

– Mandate that any organization with which the company elects to establish formal IT connections meets a minimum level of security before any information is transmitted.

– Ensure that the board can reasonably state that the organization is effectively and proactively protected.

Possible ramifications from a security breach can be many. Various interest groups have been formed to address the escalating concerns, one of which is the corporate governance task force of the National Cyber Security Partnership (NCSP), composed of executives culled from industry and government. The task force developed a program that businesses could use to effectively integrate IT security into their corporate governance processes. A series of recommendations was published in 2004 that, if implemented, would establish a standard for IT security across domestic organizations. The task force’s strongest recommendation, based on the potential negative ramifications of insufficient security, is to bring the discussion of IT security to the board. It would allow directors and executive management to realistically measure their organization’s tolerance for risk while correspondingly weighing the need for sustainable corporate and geographical homeland security.

Summary

This book addresses IT security investments from a business management perspective. Upcoming chapters enable the IT manager to build a business case, giving him or her the tools to elicit support across an organization and an ROI model to effectively quantify the investment’s required return. While that is fundamentally necessary, it is equally vital that IT security be viewed as an executive management and board-level corporate initiative with far-reaching homeland security implications.

This chapter explored the following topics:

• The role of security as a governance issue

• The need to direct security initiatives

• The process of establishing a secure culture

• The need for active board involvement

End Notes

1. From the Department of Homeland Security website. Remarks by Secretary Tom Ridge at the National Cyber Security Summit. December 3, 2003. Released from the of.ce of the press secretary. http://www.dhs.gov/dhspublic/display?theme=44&content=3059.

2. "CSI/FBI Computer Crime and Security Survey 2004.” Computer Security Institute and Federal Bureau of Investigation (CSI/FBI). http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf.

3. "Information Security Breaches Survey 2004, Executive Summary.” Pricewaterhouse Coopers UK, Department of Trade and Industry UK. http://www.pwc.com/images/gx/eng/about/svcs/grms/2004Exec_Summ.pdf. April 2004.