Every parent who has taken a lengthy trip with children is familiar with the question "Are we there yet?" As a child, you probably asked the question when the length of the journey exceeded your interest in making it.
Today, many firms have a similar impatience with their information security -- or "infosec" -- strategy. A major source of CIO frustration is the lack of clear end point for infosec. "Security practice is completely up for grabs in terms of definition, available software, process, reasonable cost and executive appetite to adopt," says a former telecom firm CIO who now serves as a midsized-company consultant. "Everyone I talk to is unclear [about] what will be required as part of enterprise risk assessment."
We contacted 135 companies (62 large and 73 midsized firms). The consensus among respondents is that security challenges create serious company misalignment. Firms exhibit various disconnects between infosec strategy and the enterprise, particularly the following:
- the security strategy and the enterprise strategy;
- the security strategy and the implemented program;
- security technologists and the enterprise as a whole;
- basic security literacy and senior executives;
- true spending on security and optimal spending; and
- the practice of security and day-to-day operations.
Security Strategy: In Flux
In Strategy and Structure, Alfred Chandler writes that strategy comprises three elements: identifying long-term objectives, adopting a course of action and allocating the resources necessary to carry out these goals. If strategy is a three-part exercise, the first step is determining the desired future state. The next step is to create a plan for achieving that state. The third step is execution.
We asked whether responding firms have a security strategy (see Figure 1). Surprisingly, 30% of midmarket respondents and 10% of large-firm executives say they don't. Of course, if a news crew were to ambush these executives and ask the same question, they would likely respond differently. I believe these responses are actually based on a lack of confidence in companies' security strategies, most of which are not linked to business strategies. Because information security is often an afterthought, respondents express dissatisfaction with the security strategy-making process.
One consultant actively engaged with CIOs in security characterizes security planning as haphazard. "[The CIOs I talk to] would likely consider what they have as a security strategy. I would not," he says. "I asked a Fortune 50 CIO -- with his CSO right there -- 'How do you establish effective information security governance?' The answer: 'We have antivirus and some firewalls.'" He also gives most companies poor marks on all three steps of their security strategy.
The now-retired head architect at a Fortune 500 industrial products company is incensed by the state of security at his former company. Many business executives, he says, equate security strategy merely with products to buy.
As the former head of security at a research firm notes, "For 10 years, we have been screaming [that] security is not a property of a product; it is a property of an environment. Governance is about business processes with integrated audit so executives are confident that their information security program is working." Yet most security strategies neglect to link their activities with the audit function. As a result, security strategy amounts to a mere to-do list rather than a dashboard indicating what's been done.
Respondents also lack confidence that existing security strategies are up to the job (see Figure 2). Further, the majority of respondents believe that the security situation is too dynamic to be stable (75% of large-firm and 100% of midmarket-firm respondents). This is consistent with previous Habitat research [see "An Unpalatable Choice: Profitability or Security," September 2005 issue]. In the face of constant change, one must constantly readjust, an unsettling prospect for many executive teams. Locked into their project mind-set, most executives are unprepared to view security as a negative annuity.
Dick Hebdige terms a shifting balance of power from predominant classes to subcultures as a "moving equilibrium." In the infosec realm, security professionals are a subculture of the technology community, itself a subculture of the business world, which is itself a subculture of society. One example of infosec's moving equilibrium is the way more companies are shifting their focus to prevent breaches rather than simply reacting to their aftermath (see Figure 3).
Resetting the Thermostat
If your house gets too cold, the thermostat turns on the heat. Similarly, if your security risk increases, you intensify your activities. Our research indicates that most firms use the thermostat not as part of a larger strategy but as a joystick in the wild game of protecting information assets.
A nonprofit's CEO who previously ran the security practice at a consultancy says that most firms can't keep their fingers off the dial. "Companies are either freezing cold or too hot security-wise. There is no in-between." The CIO at a midmarket auto parts reseller complains that his security thermostat is either "on or off" but "never really at a comfortable temperature." And a university CISO adds that he doesn't view the thermostat as an unchanging set of controls. "There really is no single thermostat, as needs vary greatly from project to project," he says.
Similarly, the individual managing information security as a shared service at a global technology vendor says, "We always seem to be doing a 'manual reset' in the sense of responding to incidents. We adjust the thermostat as we improve the strategy and ... as new tools become available."
The CSO at a regional utility manages his thermostat with an eye toward the total picture. "Our thermostat detects 'deltas' between where we need to be and where we are and triggers corrective action." And the CISO at a health care provider explains, "Our security thermostat operates [based] on (1) regulatory and legal matters, (2) empirical evidence, and (3) the hot issue of the day."
When asked whether it was time to change how we look at security and whether respondents' firms were examining security from a new perspective (see Figures 4 and 5), most respondents agree that security needs rethinking. And many surveyed firms have allocated resources to rethink infosec.
As the head strategist at a security services firm says, "Over time information security will evolve into two separate disciplines. First, security technical problems will become understood as an aspect of code quality. Once organizations understand the benefit of sound development practices, things will improve. ... The other kind of security problems concern human nature. More effective awareness and training will resolve things. So security turns into a technical set of issues on the one hand and a policy on the other."
The CIO at an entertainment firm concurs that he hasn't seen anything fundamentally new. "[A lot of emphasis [is] on making people aware of human engineering. [That] might be the newest thing." The CEO at a West Coast staffing firm serving midmarket clients articulates a common sentiment. "As long as we follow acceptable practices in security, we are safe," he says. Perhaps safe from blame, but not necessarily from attack.
The head of operations at an international relief organization sheds light on the realpolitik of information security. "There are decision makers who are averse to following [the good advice they receive] because it has high impact and cost. Or [they] ignore the advice, preferring vendor sales pitch solutions that sound sexier -- even though they can't deliver, etc. They appeal to a human inclination to [find] the easy, magic bullet."
Beyond Barriers and Bottlenecks
Why is information security so difficult? Respondents' list of reasons is long. In order of importance, respondents cite these barriers to securing information within their organizations:
- a lack of knowledge;
- adequate funding levels;
- the increasing sophistication of cybercriminals;
- the declining population of security specialists;
- the vagueness of current law;
- poor application development practices;
- a lack of good data and metrics; and
- vendors who oversell products, then under-deliver.
Most respondents say that it's difficult to get security initiatives funded unless an incident has just taken place. And even informed respondents experience difficulty securing funding, attributing it to the greatest bottleneck of all: business executives' technical illiteracy.
The practice manager at a consultancy is shocked by senior executives' lack of security knowledge. "Business-unit heads will allow their employees to use mobile devices -- BlackBerrys, etc. -- indiscriminately without understanding the security threat they represent," he says.
One of the great unanswered questions is, "How much do executives (or other employees) need to know about the technology infrastructure that supports their day-to-day existence?" And equally important, "Do technologists know what business decision makers know and don't know?"
According to Frederick Terman's steeples of excellence strategy, educational institutions should focus their resources on a few academic departments that can rise to the top. Similarly, companies should build steeples of excellence by identifying which assets absolutely must be protected and by filling in executives' potholes of infosec ignorance.
"The mind of our country is moving with the speed of a telegraph, [but] our great institutions are stage-coaching behind," observes one respondent. In our increasingly digitized world, everyone needs a more granular appreciation of technology's underpinnings. Security is not homogeneous. Even secure organizations say that not all aspects of their enterprises are secure. On a scale of 1 to 10, they may rank servers a 9, desktops an 8, and executives' laptops only a 5 ("Password length and complexity is just not an easy sell for these folks," says one respondent).
The most powerful lever available to those seeking security is senior management buy-in. How to achieve that varies by company, however; in some, fear and the threat of regulatory action may be the only way to change executives' behavior. In others, it may be necessary only to articulate practical realities. What everyone shares is the realization that we aren't there -- yet.
SURVEY METHODOLOGY: Researchers contacted 135 companies (62 large firms, 73 midmarket firms) in 17 vertical markets: banking, construction, consumer electronics, education, entertainment, fashion, food, government, insurance, manufacturing, pharmaceutical, philanthropic, publishing, retail, services, technology and telecom. Researchers followed up with some respondents by email.
Thornton May is a respected futurist, adviser and educator whose insights on IT strategy have appeared in Harvard Business Review, The Wall Street Journal, BusinessWeek and numerous computer industry publications. To comment on this story, email firstname.lastname@example.org.