The recent resignation of Pedro Cadenas Jr., the chief information security officer (CISO) and acting CIO at the U.S. Department of Veterans Affairs, is just the latest example of an IT exec taking the fall for security snafus that may have more to do with institutional dysfunction than a CIO's negligence.
According to reports, Cadenas and his predecessor and former boss, Robert McFarland, faced an uphill battle to overhaul the agency's IT infrastructure and centralize authority. McFarland resigned in frustration over the agency's inability to move forward just weeks before the May breach, when the personal data of 26 million veterans and more than 2 million service members was stolen from the home of a VA employee who left it sitting unsecured on his laptop. Although the laptop was later found with the data fully intact, the incident exposed a string of other security breaches within the agency.
Experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments.
"They think, 'Data loss.' They think, 'Computers. Must be the CIO,'" said Jack Phillips, managing director of the Institute for Applied Network Security, a membership association for security professionals in Boston. "If there's only one senior technical person, there's only one guy to shoot at."
The problem for many companies, not just the VA, is that executives don't know who to blame because they haven't assigned responsibility for risk.
When they experience their first data breach, their reaction is to blame someone. "It's because they've never run the fire drill all the way through," Phillips said. "They've thought about DR plans and how to react to breaches, but they've never taken it to that next level of what the final few actions would be. They never say 'OK, who are we going to fire over this?'
"We see a pattern of extremes," Phillips added. "Companies are grossly undersecuring their data, and when an incident happens, they're equally extreme in firing someone."
Empowering the CIO
Companies that are on top of security information typically have given the CIO the authority and visibility to make the organization-wide decisions necessary to protect against IT security breaches, said Khalid Kark, a security analyst at Forrester Research Inc. in Cambridge, Mass.
"If you empower the CIO, and something goes wrong, then you are right to blame the CIO," Kark said.
But a CIO with responsibility for security policy but no clout to enforce it should not lose his job, Kark said. "Then the CIOs are scapegoats. And I'd say we are seeing more of the latter in the industry right now than the former."
Joyce Young is vice president and CIO at La Grange, Ill.-based Electro-Motive Diesel Inc., the world's largest builder of diesel locomotives. She has no doubt whose head would roll in the event of a major security problem.
Young has found that persuading management to assume responsibility for a security policy is easier preached than done. She recalls an email security strategy she tried to sell to management at her former company. Using color-coded alerts of red, yellow and green, it stipulated that sensitive, or red, material was basically off limits for emailing. Yellow-level materials came with several cautions and green email was free to go.
Her system came in the wake of a virus that sped through the company during Young's first week on the job.
"Fortunately they didn't blame me," she said of the virus, and she quickly reinforced the security infrastructure. But a comprehensive policy for outgoing e-mail never materialized. "Nobody would go for that idea," she said, largely because of cultural issues.
Indeed, many organizations can't get out of their own way to give the CIO control and authority over security, Kark said, as doing so takes time and money and involves huge cultural changes.
In fact, the House Committee on Veterans' Affairs now admits that it was the lack of CIO and CISO authority that contributed to the theft of that employee laptop in May. A directive from VA Secretary James Nicholson issued June 28 gives additional powers to the VA's CIO -- essentially giving the CIO complete responsibility and authority for establishing system access standards.
And efforts to elevate the CIO position to the undersecretary level is currently in debate on Capitol Hill.
Cover your assets
Yet one fly in the ointment in the effort to empower CIOs is that many are not willing to take up that role and responsibility. "A lot of CIOs, to be honest, don't want this huge responsibility," Kark said. "The fact is, you can do 100 things right [in security] and if you miss one, that could potentially lead to a breach. It's almost a lose-lose proposition for a CIO to take this role."
Which gets to the heart of the issue, Kark said. "Nobody really wants to take responsibility, and the reason is that one, they don't have the visibility to make changes across the organization, and two, it is a hard problem to inherit."
More CIOs are being made scapegoats, he says, both "because it is hard for CIOs to be the front and center of these organization issues, and because CIOs really deal with technology issues, not with people and processes."
Experts recommend that companies build a security team that is headed by a CIO but includes representatives from the legal, audit and finance offices.
And if a company doesn't want a broad-based security team? "If I were a CIO who was assigned ownership for security, I would make sure there was a paper trail all the way back to the board," Phillips said. "Then the reason you have security breaches is because management, not you, has decided to accept a certain level of risk."