One of the most common complaints I hear from IT pros concerns the lack of knowledge (OK, the ignorance) of company executives regarding information security. For many CEOs and high-level executives, security is at best barely understood and at worst completely misunderstood. Some execs tolerate security procedures and expenses, while others view them as a cost with no possible return.
Bridging this knowledge gap can be extremely difficult for any IT manager. After all, you usually cant get away with calling your CEO ignorant. And trying to explain security preparedness technically to your boss can go nowhere fast.
What you really need is the help of another CEO who actually does understand security—someone who can explain security risks and preparedness to a CEO in language he or she can understand. Thats where TechNet comes in.
TechNet is an organization of CEOs from IT-oriented companies that has mainly been dedicated to political lobbying in areas of interest for its members, although it provides other services as well. Last week, it released for comment the Corporate Information Security Evaluation for CEOs, an 80-question survey that CEOs can take to gain an understanding of their security risks and how well-prepared they are to protect their IT assets. Inexperienced executives will definitely get a lot out of the survey, but it also will be worthwhile for executives with a lot of security know-how.
TechNet recommends that CEOs go through the survey collaboratively with their CIOs, chief security officers or other top IT managers. The document is split into five sections: a business dependency section that determines your reliance on technology and level of danger from a security incident, a risk management section that evaluates your level of readiness for security problems, an evaluation of your personnel skills in IT security, a survey of your information security policies and processes, and a section dedicated to your investments in IT security technology.
I liked the questions that force companies to figure out the cost of losing critical assets to security problems. I really liked the question that asked whether security personnel were involved in the evaluation and deployment decisions for new products and systems.
Any company that completes this evaluation can get a lot out of it, either by addressing real weaknesses or by improving already-good security processes. But there are also some potential problems.
Probably the biggest is that many CEOs will want to score as high as they can on the survey and might want to publish their scores. The obvious danger here is the temptation to provide untruthful responses. You should discourage going public with scores, no matter how good they are.
Another problem, for IT and security managers, is that you may find yourself pressured to add systems that you dont really need just to add points to your score. Parts of the survey deal with products and systems that not every company will choose to implement. Because of this, Id recommend that you preset expectations before going through the survey with your CEO. Clearly define the areas where the questions in the survey deviate from your technology architecture.
Another weakness, albeit an understandable one for an organization with a membership made up of many technology vendors, is that the survey doesnt take into consideration inherent strengths and weaknesses of different vendors technologies. The fact that a company with a back-end infrastructure of mainframes and Unix-based databases, which are known for their rock-solid security, would score the same as a company with a back end of Microsoft SQL Server databases, which are generally much less secure, doesnt make a lot of sense in a pure security evaluation.
Still, I cant be too hard on a document that does a lot of good in educating executives as to where their companies stand in risk and readiness. Many executives are essentially illiterate when it comes to IT security. Just think of this document as their first reader.
Discuss this in the eWEEK forum.
Labs Director Jim Rapozas e-mail address is firstname.lastname@example.org.