Why executives need to be much ‘muchier’


In the following article, Protega’s Technical Director, James Wootton, discusses who is really to blame for today’s every prevalent security breaches in our cyber world. With a novel take on this discussion, are executives truly at fault?

If the Queen of Hearts became the arbiter of all cyber security failings, would we be in a poorer state than we are now? At least there would be decisive action, all be it potentially fatal, one people are likely to heed! But in all seriousness, are we at the stage where some form of appointed legislative body should investigate the perilous business of cyber security? Maybe it is time for individuals to be held accountable, rather than permitting farcical public resignations of senior executives to mitigate the bad news, focusing the blame elsewhere. After the initial shock of the exposed systemic failures and an organisation’s attempts to ‘come clean’ regarding the actual quantum of the breach or data loss, who should be held accountable? The CSO? The CEO? The entire board? Opinions differ, but all have been cited as probable candidates, either through negligence or ignorance, conscious or otherwise.

With executives such as the US Director of OPM falling somewhat messily on the mighty sword of public opinion, what is it that creates the huge disconnect between business leaders and their senior security officers, particularly where a CIO or CISOs have played a major part? Why are the executives of numerous organisations getting it so terribly wrong? Is it really down to them, or are we, the security community at large, playing a major role in the creation of this information gap? I suspect the answer will be a sizeable chunk of each. If we, as an industry can’t articulate the risks in terms that the business leaders understand, then we aren’t in a position to moan when our advice is poorly received, or no heeded. Conversely, if we’ve clearly articulated the risk, remediation and mitigation steps, and the board chooses to balance cost/risk in favour of profits, then you have two choices. 1. Continue to bang your head or 2. Seek alternative employment for a company not ‘paying lip service’ to security. As a wiser man than me once said, “It’s their train set, you can either join in and play, or find your own.”

“I wish I hadn’t cried so much!” said Alice, as she swam about, trying to find her way out. “I shall be punished for it now, I suppose, by being drowned in my own tears!”

Don’t get me wrong, I appreciate that balancing cost and budget is no mean feat and often constraints prevent all but critical vulnerabilities being fixed in a timely fashion. In my opinion, the head of OPM deserved to go, for the arrogance of knowing the security failings of her enterprise and not bothering to raise the flag, combined with the pure ignorance of consciously not understanding the level of risk attributed to her organisation’s computer systems. At best, it could be said that conscious ignorance ultimately led to her demise.

This and other high profile breaches should stand as a warning. Business leaders don’t need to delve into the nitty gritty of cyber security, but the risk attributed to business activities by their ICT, and the impact, must be understood not ignored, especially where it’s being raised as a concern, time after time. Equally, mad scrambling, pushed down usually from the very top, after a competitor is breached makes no sense economically. It’s an inefficient, knee-jerk reaction that costs many times more in terms of resource, time and disruption than a planned programme of risk-based assessment, upgrade and enhancement… Click HERE to find out more about this article