The writing's on the wall for CIOs: A security breach in your
organisation could cost you your job.
The recent resignation of Pedro Cadenas Jr., the chief
information security officer (CISO) and acting CIO at the U.S.
Department of Veterans Affairs, is just the latest example of an IT
exec taking the fall for security snafus that may have more to do
with institutional dysfunction than a CIO's negligence.
According to reports, Cadenas and his predecessor and former
boss, Robert McFarland, faced an uphill battle to overhaul the
agency's IT infrastructure and centralise authority. McFarland
resigned in frustration over the agency's inability to move forward
just weeks before the May breach, when the personal data of 26
million veterans and more than 2 million service members was stolen
from the home of a VA employee who left it sitting unsecured on his
laptop. Although the laptop was later found with the data fully
intact, the incident exposed a string of other security breaches
within the agency.
 | | | | | If there's only one senior
technical person, there's only one guy to shoot at
Jack Phillips
managing directorInstitute for Applied Network
Security |
| | | | | |
| |
|
Cadenas resigned shortly after the May incident but was reportedly
placed on paid administrative leave for his final two weeks of
employment. Neither McFarland nor Cadenas has been officially
implicated in any wrongdoing.
Experts say the CIO is often the first executive to be called to
task for any IT security violation, despite the fact that problems
with security generally involve a number of departments.
"They think, 'Data loss.' They think, 'Computers. Must be the
CIO,'" said Jack Phillips, managing director of the Institute for
Applied Network Security, a membership association for security
professionals in Boston. "If there's only one senior technical
person, there's only one guy to shoot at."
The problem for many companies, not just the VA, is that
executives don't know who to blame because they haven't assigned
responsibility for risk.
When they experience their first data breach, their reaction is
to blame someone. "It's because they've never run the fire drill
all the way through," Phillips said. "They've thought about DR
plans and how to react to breaches, but they've never taken it to
that next level of what the final few actions would be. They never
say 'OK, who are we going to fire over this?'
"We see a pattern of extremes," Phillips added. "Companies are
grossly undersecuring their data, and when an incident happens,
they're equally extreme in firing someone."
Empowering the CIO
Companies that are on top of security information typically have
given the CIO the authority and visibility to make the
organisation-wide decisions necessary to protect against IT
security breaches, said Khalid Kark, a security analyst at
Forrester Research Inc. in Cambridge, Mass.
"If you empower the CIO, and something goes wrong, then you are
right to blame the CIO," Kark said.
But a CIO with responsibility for security policy but no clout
to enforce it should not lose his job, Kark said. "Then the CIOs
are scapegoats. And I'd say we are seeing more of the latter in the
industry right now than the former."
Joyce Young is vice president and CIO at La Grange, Ill.-based
Electro-Motive Diesel Inc., the world's largest builder of diesel
locomotives. She has no doubt whose head would roll in the event of
a major security problem.
"I am responsible," she said.
Young has found that persuading management to assume
responsibility for a security policy is easier preached than done.
She recalls an email security strategy she tried to sell to
management at her former company. Using color-coded alerts of red,
yellow and green, it stipulated that sensitive, or red, material
was basically off limits for emailing. Yellow-level materials came
with several cautions and green email was free to go.
Her system came in the wake of a virus that sped through the
company during Young's first week on the job.
"Fortunately they didn't blame me," she said of the virus, and
she quickly reinforced the security infrastructure. But a
comprehensive policy for outgoing e-mail never materialised.
"Nobody would go for that idea," she said, largely because of
cultural issues.
Indeed, many organisations can't get out of their own way to
give the CIO control and authority over security, Kark said, as
doing so takes time and money and involves huge cultural
changes.
In fact, the House Committee on Veterans' Affairs now admits
that it was the lack of CIO and CISO authority that contributed to
the theft of that employee laptop in May. A directive from VA
Secretary James Nicholson issued June 28 gives additional powers to
the VA's CIO -- essentially giving the CIO complete responsibility
and authority for establishing system access standards.
And efforts to elevate the CIO position to the undersecretary
level is currently in debate on Capitol Hill.
Cover your assets
Yet one fly in the ointment in the effort to empower CIOs is
that many are not willing to take up that role and responsibility.
"A lot of CIOs, to be honest, don't want this huge responsibility,"
Kark said. "The fact is, you can do 100 things right [in security]
and if you miss one, that could potentially lead to a breach. It's
almost a lose-lose proposition for a CIO to take this role."
Which gets to the heart of the issue, Kark said. "Nobody really
wants to take responsibility, and the reason is that one, they
don't have the visibility to make changes across the organisation,
and two, it is a hard problem to inherit."
More CIOs are being made scapegoats, he says, both "because it
is hard for CIOs to be the front and centre of these organisation
issues, and because CIOs really deal with technology issues, not
with people and processes."
Experts recommend that companies build a security team that is
headed by a CIO but includes representatives from the legal, audit
and finance offices.
And if a company doesn't want a broad-based security team? "If I
were a CIO who was assigned ownership for security, I would make
sure there was a paper trail all the way back to the board,"
Phillips said. "Then the reason you have security breaches is
because management, not you, has decided to accept a certain level
of risk."
Let us know what you think about the story; email:
Kate Evans-Correia, News
Director or Linda Tucci,
Senior News Writer