Top Five Mistakes CIOs Often Make

Wednesday, November 10, 2010

Danny Lieberman


A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines: As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole.

Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those fault lines can turn your local security potholes into the Grand Canyon.

In this post I want to talk about 5 mistakes CIOs make:

1. Rely on Fixed Controls

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology. 

A stable organization undergoing rapid and violent change is an oxymoron.  

Visualize your company has ISO 27001 certification but the stock drops by 90% because of an options back-dating scandal at the top, the company fires 900 employees and all of a sudden, the fixed controls are not as effective as you thought they were.  Think about the Maginot Line in WWII.

2. Train for Security Awareness

Security awareness training is probably a hopeless waste of resources considering the increasing number of options that people have (Facebook, smartphones, etc...) to do stuff that causes damage to the business.Security awareness will lose every time it comes up against an iPad or Facebook.

People countermeasures should be a mix of common-sense, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence.  Andy Grove once said “Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.

When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over.

Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos.

Why is common sense a good alternative to awareness training? Common sense  is easy to understand and enforce if you keep it down to 4 or 5 rules:  maintain strong passwords, don’t visit porn sites, don’t blog about the business, don’t insert a disk on key from anyone and maintain your notebook computer like you guard your cash.

3. Manage GRC Processes (while the hackers are attacking your software)

It’s a given that business processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data.  

A simplistic example is a process that allows a customer service representative to  read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker.  

But – that’s a trivial example – while you’re busy managing processes and using security theater code words – the attackers are attacking your software and stealing your data.

4. Rely on Defense in Depth (instead of questioning your defenses)

Technology countermeasures are not a panacea – and periodically you have to step back and take a look at your security portfolio both from a cost and effectiveness perspective.

You probably reply on a defense in depth strategy but end up with multiple, sometimes competing and often ineffective tools at different layers – workstation, servers and network perimeter.

Although defense-depth is a sound strategy – here are some of the fault lines that may develop over time:

  • One – most defense in depth  information security is focused on external threats while in an  organization undergoing rapid change – the problem is internal vulnerabilities.
  • Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security.
  • Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems. With less eyeballs looking at events – you may have a data breach and only know about it 3 months later – are you still sure defense in depth was protecting you?

5. Align with the Business (instead of investing in competence)

Business alignment is one of those soft skill activities that keep people in meetings instead of mitigating systems vulnerabilities – which requires hard professional skills and high levels of professional security competence.

It’s a fact of life that problem solvers hate meetings and rightly so – you should invest in competence and go light on the business alignment since it will never stop the next data breach.

Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. told  Robert Westervelt in an interview  on that:

…once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.

This is nonsense – security is a cost  and it rarely contributes to efficiency of a business (unless the business can leverage information security as part of it’s marketing messages) and as  for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.

At that point –  highly competent and experienced security professionals who are thinking clearly and calmly are your best security countermeasure.

Cross-posted from Israeli Software

Possibly Related Articles:
Enterprise Security
Compliance Risk Management Security Strategy Chief Information Officer
Post Rating I Like this!
Robb Reck Danny, I hope you don't mind some good natured debate on a few of these points. I feel the need to disagree on a few issues.

In point 2 you state that, "Security awareness training is probably a hopeless waste of resources..." then later in the same point stay that people should go with "Common sense" rules that are exactly the kinds of things that we make central in our security awareness programs. How do you plan to get those "common sense" points out to the population? Unless you simply assume they all have the same ideas of "common sense" as leadership, it's going to involve some kind of security awareness campaign, whether a classroom training, CBTs, posters, or anything else.

I am not sure what you are suggesting in item 3. Clearly software and processes need to be evaluated and a determination made whether they are secure. But GRC processes should be a part of that, helping dictate when and how software and processes are evaluated.

In point 5 you state that it's "nonsense" that security would make an organization more efficient and cost effective. But if security did not make organizations more efficient security simply would not be used. The whole reason a for-profit company exists is to make money, they do not add departments just to drain money.

A good way to look at this is to think of what would happen if security didn't exist. Presumably, without an infosec team, there would be significantly more breaches. Those breaches would cost the organization money in repair costs, regulatory fees, reputational hits, etc. If a company doesn't believe security saves money in the long run, quite simply, they should not implement security. Business is about cost/benefit.

Danny Lieberman Robb

Debate is the spice of life.

Point 2 - Basically what I'm saying is that investing in formal security awareness training and all kinds of fancy booklets and cards for employees is a waste of time and money. For me common sense means that the CEO says "here are my 4 rules" and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk.

Point 3 - If you take a look at the big enterprise GRC systems from companies like Oracle - you see an overwhelming weight placed on MANAGING THE GRC PROCESSES - document management and signature loops for ISO certification, SOX audits etc. I suppose this makes someone happy but it has nothing to do with making secure software. In my world - most hackers attack the software not the GRC and audit compliance processes. In other words - managing documents for GRC compliance is a non-value add for security

Point 5 - I beg to differ. Have you ever asked yourself why security is so hard to sell? A. It's complex and it's hard to sell stuff people dont understand. B. Security is about mitigating risk, not about making the business more effective. It's a curious fact of people - formalized in prospect theory - that people (including managers who buy security) are risk hungry and profit-averse. In other words - a CxO would rather take the risk of a data loss than invest in DLP technology that he will never be able to grasp anyhow. Managers are not stupid - they know what needs to be done to make more money or survive in a downturn. If it's making payroll or getting a machine that makes widgets faster for less money - you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.

I hope this addresses your last point also. Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time - your hypothesis cannot be proven. Indeed - the converse is true - judging by the behavior of most companies - they do not believe that security saves them money

So what is security? It's like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature not a function that improves miles per gallon. Continuing the analogy - it's clear that a driver who has a lighter foot on the brakes will get better mileage.

Robb Reck Excellent responses Danny. My counters..

#2. If there's nothing more than just the top level people telling their staff, and expecting it to trickle down, then it will never really trickle down. There needs to be some kind of accountability that people really are being told what security expectations for the company are. That said, the absolute BEST way to implement security awareness in a company is by having managers stress the important to their direct reports. That beats the pants off of any InfoSec-driven security awareness program. But whether it's done by managers or InfoSec, it's still security awareness, and it's still the absolute most important aspect of any company's security program, in my opinion.

In #3 I believe you're addressing the red-tape that have grown around GRC programs. I completely agree that they should be streamlined down to what really makes sense for a company. But in the wider sense, GRC is another essential part of a security program, because it's our risk appetite, and compliancy requirements that will shape our company's security program in reality. Without knowing what's important to us implementing security is doomed to failure.

#5, so why are organizations implementing security programs? My training and experience is that every step of information security is SUPPOSED to be based on ROI. If buying that DLP solution does not show an ROI, then don't buy it! In the same way, if hiring that security practitioner does not show an ROI, don't hire him.

I'm happy to look at InfoSec as the brakes on a car... because brakes have an unbelievably positive ROI! Image how many more accidents we'd have without brakes. They don't get better gas millage, but they certainly improve the total cost of ownership of the vehicle.

Danny Lieberman Robb

#2 - You are right. If the corporate culture is that top level direction doesn't get embraced by the entire company then - the entire company has a much bigger problem than security. I wrote about the relationship between management and data security April 2004 in Computerworld online -

#3 - I will only concede that compliance is the key driver to data and software security projects. Just remember that compliance != security and consider that all the big credit card breaches are from PCI compliant merchants.

#5 - Perhaps we understand ROI differently. In the business world - ROI means a measurable return on investment or cost savings. For example,investing $100K in a new machine and reducing your cost of manufacturing from $10/unit to $5/unit. If you sell 100,000 units/year - you have increased your profit before taxes by $500K.

Similar to brakes - if security is part of an embedded product (for example a medical device) then I can conceive of a company marketing their device is safer and more security the way Saab marketed their car in the late 80s

But make no mistake - an enterprise doesn't embed DLP into their product (think about a company that makes shoes....) and therefore it will be a recurring non-revenue cost whose contribution to the company P&L cannot be measured.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.