Bosses and CISOs: What we've got here is failure to communicate
A recent survey suggests that corporate bosses and their chief information security officers are not speaking the same language, and the result seems to be a disconnect on how to secure their enterprises. Just 15 percent of CEOs said they are worried about getting hacked, compared to 62 percent of CISOs.
“We see a pattern in which the CEO is ill-equipped to respond to this very real risk to the organization,” said Mark Hatton, CEO of Core Security, the company that commissioned the survey.
A big part of the problem seems to be a lack of generally accepted standards for information security. This is an area where government could — and should — step in to establish some order and improve the security of the nation’s privately owned critical infrastructure. But the anti-regulatory mood on Capitol Hill makes prospects dim for any positive action anytime soon.
Critical industries don’t grasp IT risks, study shows
Bipartisan cyber bill now the center of partisan turf war
The Core survey took the opinions of just 100 CEOs and CISOs or other C-level security leads, so it probably falls short of scientific accuracy. But it does show a consistent split between the two offices.
For example, 58 percent of security chiefs are aware that their systems could be currently under attack or already compromised without their knowing it, but only 26 percent of chief executives think so. And about two-thirds of security chiefs worry that their jobs could be put at risk by a hack, but only 22 percent of CEOs said they do.
The primary reason for the disconnect is that the two do not appear to be talking very much. Thirty-six percent of CEOs say they never get reports from the CISOs, and only 27 percent get reports on a weekly or more frequent basis. The result is that a ton of money is being spent on security technology, producing lots of data but too little information or security.
The findings are hardly surprising. You would expect an information security officer to worry more about security than his boss. That’s his job. But as Hatton points out, “the CEO's responsibility is to manage the entire risk” to an organization, and cyber risk is an increasingly important one. The CEO probably has a much better handle on the financial condition of the company because he and the chief financial officer speak a common language.
It’s time to establish some standard framework for communication in the security realm as well. “In security, we’re moving in that direction, but we need to move more quickly,” Hatton said.
And that is where government comes in. One reason that the CEO and CFO understand each other, and one reason people outside a company are able to evaluate its financial condition, is the Generally Accepted Accounting Principles, or GAAP, established by the Financial Accounting Standards Board. FASB is an industry body, but GAAP is recognized by the Securities and Exchange Commission, which has responsibility for establishing financial accounting and reporting standards for publicly held companies.
So far, Congress has not managed to put any comparable regulatory structure in place to provide oversight and general awareness in the security realm. Sen. Joseph Lieberman (I-Conn.) has introduced a bipartisan bill, the Cybersecurity Act of 2012, that would give the Homeland Security Department authority to set security standards for critical infrastructure.
But that bill has gone nowhere so far, and competing bills introduced by Republicans resolutely eschew any regulation.
Government alone will not solve critical infrastructure security challenges. Federal IT systems are regulated now, and they still struggle to protect themselves. But a regulatory framework with agreed-upon standards and accountability is needed and would be a step in the right direction.