Protega Blog

Why Executives need to be much more, 'muchier!'

Natasha G - Thursday, August 20, 2015
In the following blog post, Protega's James Wootton discusses his views on who is really to blame for today's ever prevalent security breaches in our cyber world. With a novel take on this serious discussion, are executives truly at fault? Off with their heads!!



Why Executives need to be much ‘muchier’


“Off with their heads!”

If the Queen of Hearts became the arbiter of all cyber security failings, would we be in a poorer state than we are now? At least there would be decisive action, all be it potentially fatal, one people are likely to heed! But in all seriousness, are we at the stage where some form of appointed body should investigate this perilous business? Maybe it is time for individuals to be held accountable, rather than permitting farcical public resignations of senior executives to mitigate the bad news, focusing the blame elsewhere.  After the initial shock of the exposed systemic failures and the organisation’s attempts to ‘come clean’ regarding the quantum breach of data loss, who should be held accountable? The CSO? The CEO? The entire board? Opinions differ, but all have been cited as probable candidates.

With executives such as the US Director of OPM falling somewhat messily on the mighty sword of public opinion, what is it that creates the huge disconnect between business leaders and their senior security officers, particularly having CIO/CISOs playing a prevalent part? Why are the executives of numerous organisations getting it so terribly wrong? Is it really down to them, or are we, the security community at large, playing a major role? I suspect, the answer will be a sizeable chunk of each.

“I wish I hadn't cried so much!” said Alice, as she swam about, trying to find her way out.

I shall be punished for it now, I suppose, by being drowned in my own tears!”

Don’t get me wrong, the head of OPM deserved to go. However, in my opinion, the arrogance of knowing the security failings of her enterprise and not bothering to raise the flag, combined with the pure ignorance of consciously not understanding the level of risk attributed to her organisation’s computer systems, ultimately led to her demise. A business leader doesn’t need to delve into the nitty gritty, but the level of operational risk attributed to their ICT should not be ignored.

“But I don’t want to go among mad people,” Alice remarked.

“Oh, you can’t help that,” said the Cat: “we’re all mad here. I’m mad. You’re mad.”

“How do you know I’m mad?” said Alice.

“You must be,” said the Cat, “or you wouldn’t have come here.”

Who within the security community believes that an individual who possesses a macro view of their organisation at best, could solely be to blame for such a detrimental loss? I’m relatively convinced that in many of the breaches, there are senior IT and security managers making odorous squeaks whilst moping their brows thinking, “close call!” Of course, not all seniors got away with it, ask the CIO of target.

“Speak English!' said the Eaglet. “I don't know the meaning of half those long words, and I don't believe you do either!”

Whether we like it or not, in the security profession, we need to understand why the message is misunderstood, or ignored and shoulder some of the responsibility. There is critical analysis needed across the many major breaches. That way, lessons will be learnt, or at least common mistakes or misconceptions will be highlighted. Is it only the risk managers who truly understand the information they compile for the executives? Perhaps this assessment should be equated into a simpler “layman’s” version:

“Dear CEO, if you don’t sort out this big basket of ICT vulnerabilities, which will cost $xxk, we will be right, royally f@#$%d to the tune of $xxxM. On the plus side, you’ll not have to worry about it though, you’ll be looking for a new job!”

“Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”

I’ve been around a few blocks, hit by a few blocks and indeed built things with a few blocks, but I understand, that in this ever moving, ever evolving world of ours, it takes an awful lot of time, resource and money to manage an enterprise’s risk profile, with ICT risks being one of many juggled at board level. But, I’ll bet, that as far as risks go, there aren’t many that are quite as ‘juicy’ and open to both the public and media’s scrutiny.

One day Alice came to a fork in the road and saw a Cheshire cat in a tree.

“Which road do I take?’ she asked.

“Where do you want to go?” was his response.

“I don’t know,” Alice answered.

“Then,” said the cat, “it doesn’t matter.”

I believe that many organisations are at crossroads. One way leading to the recognition of your threats and vulnerabilities, allowing time for an informed decision, based upon realistic strategies. The other direction, however, caters to those willing to travel the path of blissful ignorance, leading to the mire of public condemnation. Whether chosen consciously or not, I offer these words:

 

“Turn back, it’s not too late!”

 

Fancy reading some more articles like above? Check out Protega's LinkedIn Page!