Do CEOs Get Information Security Risk?

Is information security risk well understood in the board-room? Despite a plethora of high-profile information security breaches, a large number of organisations’ management teams still have a poor grasp of their own susceptibility to a similar fate, according to leading security industry analysts.

Many businesses will have appropriate security solutions in place in the most important areas, and can point to anti-malware, network firewalls, email security, access management, security intelligence, and a range of other tactical controls designed to mitigate against the risk of attack. These measures are normally technology point solutions, instigated by the IT department.

It is, however, common to find that there is a lack of information security risk planning, particularly in respect of how to react when security events occur. Moreover, it is arguable that the majority of security breaches are due to failure of policy and process, rather than of technology, and many organisations need to take a complete, business-focused view of their security planning and response.

It is enlightening to compare the ways in which most companies treat financial and information resources. The CFO has significant responsibility to implement the checks and controls that will ensure financial resources are monitored and accounted for to the very last penny. This culture is embedded and second nature to all employees. Everybody knows that accurate billing must take place that expenses must be accounted for, and the associated procedures are followed to the letter. In contrast there is often nobody with a clear mandate at a senior level to manage and safeguard information, and it is not uncommon to find there are few controls in place that monitor information in any way that echoes the financial processes. The security measures attempt to build defences, but they often don’t track what happens to the information assets that hide behind them. Essentially locking the cash box without checking how much is in there.

To combat the imbalance, CEOs and executive boards need to ensure that information security is consistently on the agenda. There needs to be clear direction at a senior level to assess security risk, report security status, and respond to security incidents. A senior-management-driven cultural change is required to emphasise the value of information assets and the processes in place to protect them, as well as the awareness of these controls by all employees and stakeholders.