‘Enterprise Security’ guide calls for executive awareness, leadership
Posted on | January 6, 2010 | 1 comment
As someone who has been paying close attention since the MS Blast worm hit in Aug. 2004, I can flatly say that Internet-enabled threats have steadily escalated month-to-month since then, and currently pose an unprecedented risk to individuals and organizations. The investigative reports on this Web site support this assessment – and also illustrate how far we are from reversing the advance of cyber criminals, who continue to refine and scale up their attacks with impunity.
Now comes Jennifer Bayuk with a book titled Enterprise Security for the Executive: Setting the Tone From The Top. Bayuk makes a simple, cogent argument: Internet- enabled attacks are putting valuable corporate assets at risk, and those risks should be measured, monitored and mitigated. She delivers to her targeted audience — senior executives, whom she dubs CXOs – sound rationale for truly assessing cyber threats and then setting in place a flexible framework for dealing with them.
I first met Bayuk in November 2008 at a security workshop put on by The Institute for Information Infrastructure Protection (I3P) at the University of Virginia. She had just finished her stint as CISO of Bear Stearns, which had just collapsed. On a white board, Bayuk sketched out a diagram of how corporate IT networks – and security systems — expand in haphazard, patchwork fashion, often creating several new security holes for every one shored up.
Similar sketches, along with anecdotes labeled SHS (security horror stories,) are strategically dispersed through the 152 pages of Enterprise Security, which is written in clear, common language. This book is an eye-opening must-read for senior managers — and for anyone aspiring to management in our digital economy. It’s basic tenets ought to be ingrained as core competencies at every business, large and small. We’re not there yet, but, as the security horror stories in this book — and on this Web site – vividly illustrate, the drivers are certainly in place. Bayuk graciously answered a few questions for LastWatchdog.
LW: Why did you decide to write a book that’s essentially a guide for how senior executives should view security?
Bayuk: When I started consulting after Bear Stearns died, I realized that the people who were CISOs like me were not looking for help from someone with my background. They did their own strategy and were only looking for people who could do jobs they already had well-defined. However, the people who really needed someone with my skill set were their bosses. These are the people who hire CISOs because they do not know how to deal with security issues at all. So I wrote this book for them.
LW: Early in your book you make the point the top execs need to lead by example, and get their direct reports to do the same. Why is this so important?
Bayuk: People understand where their paychecks come from. It is important that executives display a positive attitude about security because people get cues about what is important to their own jobs by getting feedback from their bosses. If a boss thinks that security procedures can be sacrificed, then the staff will sacrifice them, no matter how many documents Human Resources may make them sign that state the contrary.
LW: How many top execs at big companies, say those with more than 500 employees, actually are doing this? Is it much more than say, 5 years ago?
Bayuk: Historically, very few top executives at big companies have done this. But I have been fortunate to work for some who have. For example, when I was at Bell Labs in the mid 1990s, the Chairman of AT&T said something like, “The quality of our security is indistinguishable from the quality of our products.”
We in the security group latched onto that sound byte and published it everywhere. Whatever else AT&T may have suffered in the past twenty years, it is still way ahead of most global firms when it comes systems security. The head of operations and technology at Bear Stearns was similarly sincere. He once gathered his CIOs into a staff meeting and said simply, “I want to be secure.” From where I sit in security consulting, I see this attitude becoming more mainstream. Of course, this could be a function of my place in the industry, so I am probably not the best person to ask.
LW: You also make the case that companies need a security strategy and a security process. Again, how many big companies are doing this effectively, and/or starting to do it.?
Bayuk: The world is not divided into big and small, but regulated and unregulated. All regulated companies have some form of security program, even a three-person doctor’s office. Most unregulated small companies do not have a company-wide security program unless they have experienced a breach of some sort.
There is no set size at which this breach occurs. There are companies with over a thousand employees that have not experienced any negative impact from poor security, and some companies of less than 200 people that have. However, you also ask whether companies are doing this effectively. To date, the majority of effective programs have been done by talented security officers expending heroic efforts. Not a lot is being accomplished at the level of corporate strategy.
LW: What drivers do you expect to come into play in 2010 to cause top execs at big companies to pay more attentions to security? What go forward trend do you anticipate?
Bayuk: In the book, I mention the phenomenon of keeping up with the Jones’. As it becomes more and more evident that some companies are careful about security, those who are behind will be motivated to keep up. There is always the threat of lawsuits for negligence. The term “Security Horror Stories” that I use in the book is very old, I am not sure how old because it is so deeply ingrained in the literature, I don’t remember a time without it.
In the 1990s at Bell Labs, our security department had an awareness group who issued a series of posters called, “Security Horror Stories are not Fairy Tales.” I remember one was a picture of a wolf in grandma’s clothing in a bed where Red Riding Hood was at the edge, and the caption was something like, “don’t tell your passwords to anyone!” These posters were hung everywhere. Ten or fifteen years later, I was in a building that used to be an AT&T data center, but had been bought and sold a few times and was then owned by SunGuard. The posters were still on the walls. No manager wants to be accused of being less security-aware than their competitors.
LW: Is there potentially a broad, societal benefit that would or could result? What is it?
Bayuk: Result from senior executives reading this book? Yes, most certainly. One point I made in the book is that when individual companies secure their own environs, everyone who does business with them may benefit.
My example was a murder that was solved because both an internet website and a hotel chain had a significant level of security authentication and monitoring. The website recorded every detail they could about their client activity and the hotel did as well. The hotel in addition had physical security cameras distributed in enough areas to pinpoint time of guest arrival and departure, as well as to identify guests versus non-guests.
Because these two private entities had decided what level of security was appropriate to protect their own services, law enforcement could take advantage of their diligence to track and indict a murderer. When you think about the level of risk many corporations have due to lack of control over their own assets, and then think how easy it would be to protect them, you realize that, with very little individual corporate effort, our entire society could be cloaked in a much higher level of security than we have today.
I am not advocating any one big brother, just multiple simultaneous watchdogs that would be able to coordinate efforts in a crisis because they each individually understand how genuinely valuable their own security is to them.
By Byron Acohido
Comments
1 Comment »
RSS feed for comments on this post.
Byron,
Thanks for talking just now and recommending this post re: Jennifer Bayuk’s book. Very valuable. Will look into it. Thanks again. Best, Julie
Comment by Julie Squires — 1/18/2010 @ 1:29 pm