Tuesday, October 4, 2011

How CEO’s can pass the Security Test? A letter to CEO’s

Dear Mr. CEO
Sub: Poor security in your organization
Dear Sir
Let us face reality. You Mr. CEO do not have time for information security but are in agreement as to its importance to business. If you were a king in the yesteryears you would certainly have understood the importance of fortifications.
I will tell you why you are simply unaware of where they company stands in terms of security preparedness. You do not measure it. Well this little flaw has a cascading effect as your team does not see it in their KRA. Your KRA is what the board wants and therefore you invest only for regulatory compliance.
I will let you in on an open secret. The historical annual audit, you thought gave you the pulse is like closing the bird cage once the bird has pooped and flown the coop. Not all is lost, you can still steer the ship with this set of twelve questions in five categories that you can ask of yourself and your team (CISO, CFO, CMO and CIO) to obtain the security pulse of your organization.
Awareness and Attitude: The first principle is to remember that you cannot be effective unless you really believe security is important and invest time in understanding what security means to your business. Throwing resources to meet a problem without first understanding the problem is a bad way to do business. So the first two questions are to be answered by none other than you.
·         Do I believe that the probability of security risks is high and that my company could be a victim?
·         Have I been coached on the importance of security and how it affects my company?
Audit and Measurement: What you do not measure, you certainly do not control. That’s an old trick; I do not need to teach. But in security, how frequently you measure and ensure remediation is also important. I would probably recommend that you straighten up if no one has yet reported a security incident to you. This probably means that since you never asked, the organization never instituted a process to monitor and measure. So call your CIO, CISO and CFO and ask them the next three questions.
·         Do you conduct annual third-party comprehensive security assessments?
·         Do you conduct weekly vulnerability assessment and have a process to track remediation?
·         Are you aware of security breaches within the organization?
And why did you not inform me?
Quality and Resources: Good intentions which are not backed by acceptable best practices, industry certifications and resources cannot be successful. All companies move from good to great over time. Overnight certifications are for appraisals only and not of practical use. Invest some time to understand your current security maturity, investments and road ahead. This is an exercise you can do annually, but it helps set the direction and vision for security across the organization. Security, Mr CEO is cross functional, and you alone can ensure that it becomes the responsibility of all and not Mr X or Mr Y, because you can be sure that managers in your company will squeeze the security budget in his/her area to fund an item in his direct KRA. So call your CISO, the man in charge and ask him the next three questions to understand his vision and financial and political challenges. If you support him, perhaps the rest of the organization will.
·         Do you know where on the maturity model is your security posture?
·         Is security a downplayed function? More hygiene than strategic
·         Do you have a security organization with defined budgets?

Business Entwinement: Security has moved away from being simply a hygiene factor to an essential business item. Your customers demand secure services and as you scurry to use mobile, web and cloud guarantying data security is critical. If you have not consider the security risk at the time of decision making, you are probably ensuring a failed service or the failure of your business at a point in time when someone decides to hack your service. The other big requirement is to keep a watch out for corporate espionage. Loose emails and talks by your senior team ensure that you lose a great deal of business to your competitors. So ask yourself these questions as you lead the pace.
·         Do your senior managers keep business information on a need to know basis?
·         Do you consider information security as an area of business risks while making decisions?

Investment: The world runs on money and so does your security apparatus. I am sure that when you tally your books of accounts, you will be unable to find a line item for the security spends in the company. It will be dispersed in several budget, spent and prioritized differently.  One thing you are good at is ROI. So consider this, it could be your loss or your competitors loss. Which do you prefer? If it’s your competitor’s loss than perhaps you should learn from the data breach he suffered last month and invest today. Perhaps that a strategy you would chose or you could ask yourself the following two questions.
·         Have you assessed the annual loss due to security incidents?
·         Is your investment rationale, compliance driven or focused on holistic security improvement?
Well sir, thank you for reading this longish letter. It was borne out of my long frustration in working in your company. I hope that at least this year round; you will spare the time to meet me to discuss the year’s security plans and budgets.

Yours Sincerely,


  1. Excellent Lucius, I liked the way you wrote it. As the letter was concluding I was getting more involved into it. All the points u entered make sense. I would like to share that Top shots should interact more with the lower management than senior to get into the loopholes....

  2. Interesting article, discussed in Southern Fried Security podcast 64 actually. The CISO writing such a letter would be fired possibly after the first sentence based on its tone, and certainly fired after the last sentence for insubordination. All the same, the questions for the CEO to ask the CISO are indeed interesting, and if more CEO's were that interested, we'd all be better off. I'm certainly glad to work in an environment where security is taken far more seriously than the CISO's voice here. -phoo