Several CIOSE members asked us to initiate a discussion on the valuation of computer security. In essence: how does general management assess the real threat in terms of sources and risks of occurrence? What is the "expected cost" of an occurrence? And finally, how much new money do these executives think enterprises should spend on additional prevention and/or remediation measures? As background for our group discussion, we prepared this short position paper.
To start, we considered network threats in three contexts: denial of service, malicious destruction of files and theft of tangible (primarily cash) or intangible assets.
We then conducted interviews with CFOs, CIOs, a chief auditor and a CEO. The business sectors spanned include aerospace, banking, consumer products, insurance and pharmaceuticals. Snapshots of those discussions follow. Many thanks to our CIOSE colleagues, and their patient associates, for the extensive time and valuable insights they provided to these scribblers.
Every respondent opened his remarks by stating that the threats are enormous and the risks are unknown - until we'd worked through their various scenarios and analyses. Happily, most differences of opinion could be attributed to industry-specific conditions, rather than job titles, showing good alignment between the CEO, CFO and the CIOs on this topic.
Aerospace CIO: Theft of intellectual capital poses the largest real risk.
A small number of very sophisticated hackers, many from overseas, are extremely active and have repeatedly been detected trying to penetrate company defenses. Occasionally, they are successful - leaving behind only the tools to facilitate another entry. All that can be done is to analyze the entry through sophisticated forensics; then close the holes to prevent reuse.
Denial of service could be serious, and being a prime corporate target for various worms and viruses is an annoying and frequent distraction. “But these types of penetrations are quickly isolated, so we are not left in a state of perpetual fear.” (They are a costly and time-consuming staff burden, however.) And a publicized incident would be embarrassing and conceivably cloud the corporate reputation.
Bank CIO: Denial of service is the paramount threat but its expected cost varies sharply by line of business.
For a global bank with instantaneous foreign exchange trading, extensive clearing operations and an image of invulnerability to protect, denial of service could theoretically jeopardize the institution. By contrast, malicious file destruction incidents are relatively minor, initiated by insiders, and quickly corrected through routine back-up procedures. The theft of tangible assets (presumably cash) by outsiders hasn’t happened “insofar as we know.” And any major defalcation would surely be caught by routine controls. A critical theft of intellectual capital is hard to foresee. “After all, highly-vaunted experts with detailed knowledge of blockbuster trading models and other intellectual assets routinely leave one financial institution for another without much consequence.” (Even the cleverest trading models are obsolete in three months, apparently.)
Denial of service is treated through two different but supportive approaches. Information Risk Management is defensive: it covers security protections, threat monitoring, and prudent business practices (like first vetting all PCs which vendors want to connect to the bank’s network - even for a demo). Business Continuity is reactive: it focuses on recovery from any type of attack or calamity whether it’s a network penetration, terrorist incident, major power blackout or natural disaster.
"Worms and viruses are troublesome but unlikely to cause outages long enough to be disastrous. (Unnecessary concentrations of staff or other resources are a more obvious and likely risk, and a much larger focus.) The only extended outages we’ve experienced were a consequence of September 11 and the East coast blackout. Until September 11, senior management couldn’t even have convened a thoughtful and cogent discussion focused on catastrophic threat."
Business continuity draws relentless attention from both the regulators and the institution’s own management. But each line of business poses a different level of risk based on the size of assets, velocity of activities and potential damage to the bank’s reputation. In this context, the greatest exposures are at the foreign exchange and government securities trading desks and in the clearance functions. The lowest risk is in retail banking. Thus, the bank could lose a segment of its ATM installations, one call center, or access to home or automobile loan files for 72 hours without serious impact.
The CIO meets four times annually with the audit committee. Nominally, the agenda item is computer security although at least two of the meetings actually deal with overall business continuity. Although management is surely knowledgeable about the threats, requests for new technical security initiatives invariably raise the question "what protection will this add that you are not currently providing?"
Consumer Products, Chief Auditor: Management is currently disinterested in IT generally.
"Expecting senior management to pay any attention to cyber threats is a lost cause," he opines. "The complete lack of interest results from a juxtaposition of events, including a massive hangover from the busted e-commerce bubble and indigestion over our huge and possibly questionable Y2K expenditures. Meanwhile, time-dependent issues like Sarbanes Oxley 404 and the increased financial oversight triggered by the Enron et al frauds compete for top management attention. So corporate governance and accounting processes get all the focus. Doubtless, the business scandals were primarily due to flawed management cultures, but they certainly deflect attention from less immediate concerns like IT security.
Senior management may be right, since the chief auditor doubts that any of our three security threat categories poses a serious viability risk to a large, global enterprise. He cannot recall any major computer security failure either inside his company or in the broader business community. Denial of service attacks from worms or viruses have caused only momentary problems, so why be jittery? Worst case, the company’s infrastructure of three large 24/7 data centers would allow the entire U.S. network to be backed up from Singapore. Asset theft through the network couldn't be sizeable enough to threaten the company, given ongoing audit controls. More importantly, theft risk is hardly limited to lapses in network security. To the contrary, there are always several ongoing attempts at fraud in any large company by security-cleared insiders. And inevitably a few won’t be detected.
Curiously, the increasing pervasiveness of IT systems in recent years has actually reduced executive angst about technical security. ("Savvy executives casually give their passwords to contractors...") and "I've attended all the Finance VP meetings for the past five years, as does the CIO, but can't remember ever hearing computer security cited as a high priority. I no longer raise the topic in Executive Committee sessions because it only brings yawns."
"The conduct of business is always a realistic tradeoff between risk and resources," he summarizes. Absent any evidence that computer security risk is higher than already anticipated, why dedicate more resources or attention to protection? Without tangible proof that our current state of computer security is insufficient, management won't approve major requisitions for more spending. And any increase in security protection will have to come from getting more intensive and effective utilization from the previously purchased tools.