Who should be responsible for IT security?

Hot potato, or hot job?

Typically, when a cybersecurity problem arises, it’s the IT department that gets it in the neck. Ostensibly, that makes sense. After all, if someone is in your network mining your database for corporate secrets, it’s hardly the office manager or the accounts receivable department’s lookout, right?

Perhaps. On the other hand, there’s a case to be made that putting Canadian IT departments alone in charge of the cybersecurity budget and decision making may not be wholly effective. Some believe that carving out cybersecurity as a separate function could lead to better, cheaper information security overall.

John Lyons, chief executive of the International Cyber Security Protection Alliance, is one of them. For security to be a first-class citizen, it needs to have its own champion outside the IT department, he believes. “If you have a CISO reporting through a CIO or if you put the cybersecurity budget in the technology budget, then the security spend gets lost among other priorities,” he warned. “It's right to segregate out the expenditure on security as a discrete part of the overall spend in the company.”

Hey, big spender

Tim Holman, director of the international board for the Information Systems Security Association, agrees. It can be a particular problem when companies lump all of the cybersecurity budget into the IT department, he warned.

“If the IT director has a lot of purely IT staff working under him then it's the wrong place to put money because it'll just get spent on IT security,” he said. “Often, the security function is in the IT domain. I think everyone sees security as an IT problem. Maybe the IT director should know better than to accept that responsibility.” When companies do take cybersecurity expenditure out of the IT budget, how well do they protect themselves? IDC surveyed over 200 organisations in Canada to assess their security budgets, looking at how much they spent, and what they spent it on.

On average, Canadian organisations spend just under 10% of their budget on security technology, according to the IDC survey. This doesn’t include services and staff.

A quarter of the companies (23%) spent just 6% of their IT budget on security. Categorised as defeatists, they have weak security, with no support from the business for IT teams who long ago stopped asking for it. Another 37%, classified as denialists, spend 8% of their IT budget on security. Both of these categories incurred more security breaches than average, and were considered to have a maturity level of 3 or less out of 5.

This means that the lion’s share of Canadian organisations surveyed – six out of ten – are dropping the security ball. It’s telling that this majority each spent less than the average on security.

Conversely, those Canadian firms that spend more than the average amount from their IT budget on security incurred fewer data breaches than average, the survey found, and also scored higher on the maturity scale. The devil is in the detail, though, and there’s one statistic that particularly interested John Pescatore, director of the SANS Institute, which focuses on security awareness and education. The minority of companies that spend above the average on security fall into two groups: realists, and egoists.

Realists spend 14% of their IT budget on security. Their IT security is fair but they strive to be better. Egoists are the top of the heap, with a 4-5 maturity rating when it comes to cybersecurity, but here’s the thing: they spend slightly less of their IT budget on cybersecurity than the realists, at 12%.

Why would the highest cybersecurity performers not also be the highest cybersecurity spenders? “The trend that most mature organisations start to spend less on security is very common,” Pescatore said. “That's because they avoid vulnerabilities using better IT and procurement practices, but it’s also due to a lot of spending on security that isn't counted as security spending.”

This spending typically happens outside the IT department, he argues, explaining that money earmarked for improving information security can be spent in various ways. For example, companies might allocate some of that money to a proper cybersecurity awareness training program that actually worked. That might include funding a program that tested employee habits by sending fake phishing messages to try and catch them out.

Procurement is another area where companies might spend their security budgets outside the IT department, argued Pescatore. “If an organisation that buys things puts security requirements in procurement so that they require software developers to do testing on their software, that’s not spending money from the IT budget,” he said. Yet it’s still cybersecurity money.

Don’t be a tool

One danger of putting all the budget for cybersecurity inside the IT department is that it will just get spent on technology to try and solve the problem. Most experts seem to agree that cybersecurity tools on their own are not enough.

“It's not just about things with three-pin plugs on them,” said Lyons. “If you diverted a decent amount of money to the education of all employees in the business, that's the most important thing that a CISO could be doing,” he said.

We can point to several examples proving that companies can’t simply throw money at shiny boxes or gold-plated services and abrogate responsibility. Target is a case in point. The company got hosed not because it didn’t have adequate tools and services in place, but because it ignored what its $1.6m malware detection tool was telling it.

Even when IT departments do buy technology, the signs are that the expenditure isn’t addressing some of the newer threats very well. Most of the spend – a whopping 32.8% - goes on network security, with identity access management and secure virtual machines coming a distant second and third. What’s interesting is that technologies such as mobile, web, and email security – often considered clear and present dangers – rank relatively low, with companies barely spending single figures.

Moreover, companies in Canada admit that they aren’t focusing enough on people as a crucial component of the security ecosystem. Ideally, companies would invest in awareness programs that actually make a difference, and Canadian firms said that they’d like to spend almost a quarter of their security budget on this. They aren’t though. Security awareness accounts for a far smaller fraction of the security budget.

Cybersecurity extends beyond mere IT

If we accept that companies should be spending money on cybersecurity outside the IT department, the question then becomes: how? In an ideal world, said Holman, there would be a single person responsible for that process. A CISO would have visibility and budget for cybersecurity across all aspects of the business. They would have a place on the board, and would be able to speak to other C-suite executives using board-level language.

That’s a great idea, if we assume that the board understands and appreciates the need for cybersecurity. The problem is that many don’t, warned Lyons.

“The buck needs to rest with the chief executive and his or her board, and unfortunately that hasn’t been grasped by so many companies,” he warned, arguing that in many cases, he doesn’t believe the technology team reports to the board at all.

“I would say that we're into a new industrial revolution with cyberspace,” he continued. “Boards need to take as much responsibility for the company's performance on cybersecurity as they do for financial responsibility.”

The Reg’s readers seem to agree. At a Register Round Table earlier this year, several CIOs complained that the board simply didn’t get cybersecurity, conceptually. A lot of them thought it was simply a case of installing some antivirus software and heading off for the golf course.

Board responsibilities

That’s unfortunate for board members. IT employees may well be fired if a company is compromised by a breach, but ultimately, the responsibility rests with the board, which has a duty of care to the company, including making informed decisions with diligence and skill. In 2013, the Canadian Securities Association adopted Staff Notice 11-326, which outlines some board-level responsibilities around cybersecurity.

Issuers of securities (that is, companies who are listed or planning an IPO) should assess whether they need to disclose any cybercrime risks or incidents in a prospectus or continuous disclosure filing, the Notice said. They should explore the adequacy of their risk management systems, and the CSA will consider these issues when reviewing issuer disclosure. Companies must make up their own minds how to balance legal compliance and disclosure, but it puts this square on the C-suite’s radar.

Canadian law is evolving to hold companies more accountable for their security breaches. Take the Digital Privacy Act, which Canadian parliament passed into law in mid-June. This represented the first significant update to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in many years, and finally introduced federal data breach notification requirements for Canadian companies. The penalties for violating the disclosure requirements are up to $100,000 per violation. That should help to persuade boards that they should be viewing cybersecurity as a broader element of business risk.

All the other kids hate me

There are several other problems for CISOs. One of them is that they’re typically not very popular, warns Holman. “CISOs are seen as a thorn in people's side,” he said. “They stop people making money. They stop software going out because it’s not ready, and they stop web sites being published, because they’re still insecure. On the other hand, the boards want to act quite quickly.”

Done properly, a CISO role will often be at odds with the board, because agendas may conflict. That’s a difficult political challenge. Perhaps that’s why, as Holman suggests, the CISO often doesn’t have much executive power. In that case, they could become a waif-like presence, floating along the halls of power making vague admonishments but not able to do anything except irritate people, a little like the ghost of Christmas future.

Worse, they might simply report to the CIO, which may result in them being completely declawed if the CIO isn’t sympathetic, and has their own agenda, such as cost cutting or infrastructure transformation. In these situations, the CISO’s agenda will often become a secondary issue, eclipsed by a focus on operational performance, said Pescatore.

“But then, the same thing happens when the CISO role is put under legal or finance,” he points out. “And in those cases, it becomes disconnected from the IT side, where the risks and the progress both come from.” Cybersecurity may well be a holistic pursuit, but deficiencies in IT operations still contribute a disproportionate amount to cybersecurity breaches, he warns.

In an idea world

So, what’s the answer? In an ideal world, the CISO will have an independent role, and a friendly ear on an informed board. They will have a strong interest in ensuring that IT in particular conducts its operations securely, and will work with the CIO from a position of influence to help achieve that.

To that end, the CISO will demand that each relevant line of business allocate some of their budget for cybersecurity purposes and task them to show results for it, suggested Lyons. “Suddenly, it’s everyone’s goal to get the best value for their contribution,” he said.

To do this, a company may have to overcome several problems. Board maturity is one. A board education and outreach initiative may be necessary. Another is resource allocation. Many companies won’t be large enough for a full-time CISO. Making it the part-time responsibility of another board member could work, as long as they’re mature enough to understand that cybersecurity extends beyond their own domain.

Alternatively, Holman says that a ‘virtual CISO’ consulting service from a third party supplier is an option.

Finally, will political pushback be a possibility, if the IT department has traditionally controlled the purse strings? Nonsense, said Lyons. “Most technology leaders that I talk to would love to be rid of the responsibility for security,” he said. “Otherwise every time a breach occurs, the CEO will say to the CIO ‘what have you been doing?’”

Perhaps the biggest incentive in any of this, then, is to help IT folk avoid those awkward conversations in the elevator. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017