Making the Business Case for Information Security
Sanford Sheizen, Ph.D., CISSP
Version of article printed in Beyond Computing (Nov./Dec., 1994), an IBM
publication. Beyond Computing, 1994.
What do the World Trade Center bombing, a computer embezzlement equal to $250
million dollars from Volkswagen Corporation, lawyers demanding E-mail messages
for litigating employment issues or trade secret cases, and the Federal Sentencing
Guidelines corporate probation provision all have in common? They are clear warning
signs that the New Security Rules for the Information Age, the rules of the road for
the information superhighway, require a change in the way business is done.
Information protection has become a priority business requirement. Your senior
executives now have a major obligation to ensure that information is adequately
protected. Critical information is at risk, criminals have gone high tech, and, when
these problems almost inevitably become publicly known, senior level managers are
being held directly accountable for security problems.
Yet, few non-technical senior executives realize that they have that obligation or
sufficiently respond to meeting their legal and fiduciary requirements. These senior
managers may agree that security is important and then do what executives often do
very well. Move on to the more immediate tangible crisis. Hand the problem over to
others by assigning someone the security responsibility. Write a warning memo to
employees. Ask whether the insurance coverage is sufficient. Inquire what the
competitors are doing. Wait until the perfectly secure computer becomes available.
Pray.
Dr. Sanford Sherizen is considered as a leading consultant and seminar leader in
information security. He is president of Data Security Systems in Natick,
Massachusetts.
None of those management actions will suffice when it comes to protecting vital
information from computer crime and abuse. In fact, in the current liability
environment, these actions can be viewed as indicating that senior management is
neglecting basic due diligence requirements. There are serious prices to be paid for
such neglect.
This lack of adequate management attention to information protection places IT
professionals, who are often charged with the responsibility to protect information, in
a difficult situation. They juggle inadequate information security resources,
insufficient management commitment to security, and increasing productivity
pressures that limit security options. IT professionals have to prevent abuse when
access decisions may be made by other managers and limit intrusions while their
organization makes business decisions that extend the network to potentially
vulnerable connections, such as customers or the Internet.
In order to be able to develop appropriate security protections, IT must be able to
convince senior management that information security is now required as proper due
diligence for organizations. How to make your management aware of the importance
of information security? To summarize, IT professionals need to be able to convince
their management that crimes against information are now so serious that
businesses may fail and executives may be banned from their industries for
inadequate attention to crime control. IT must become marketeers and translate
information protection into management terms.
Business and other management language is necessary in order to prove the need
for securing information. Persuasive arguments must be used to point out that
inadequate information protection has led to major financial losses, legal difficulties,
negative public relations, lost jobs, and shrinking market shares.
This job of convincing management is very difficult in the current economic
environment. Rather than continuing to struggle with the increasingly difficult and
potentially liability prone status quo, IT professionals should take the offensive. What
follows are suggestions and aids in making the business case for information
protection.
BACKGROUND FOR THE BUSINESS CASE FOR NEW INFORMATION RISKS
Information protection is now more complex than ever. That complexity is due to
problems outside out as well as within businesses. A starting point in making the
business case for information protection is to outline why information risks have
increased, requiring new management attention to protection vital information
resources.
Information protection is complex since the computer criminal has changed from the
old days of just a few years ago. Hackers who break into computer and phone
systems and those who develop and spread viruses are a big problem today. Yet, in
the future, we may look back at this period and consider how relatively benign these
intruders were. For in the Post-Hacker Era, there are new computer criminals,
including competitors who want product designs, angry employees who feel
downsizing calls for revenge, inside traders seeking strategic plans, governments
seeking to protect state-supported companies by spying on foreign companies, and
journalists investigating scandals. More types of new computer criminals are
expected.
The complexity of information protection is also the direct result of technological
developments. Yesterday s technological advance is today s computer crime
problem. Just as voicemail became a common business tool, which soon led to
criminals penetrating corporate voicemail systems for international telephone frauds
and as drops for their drug deals, so today s advances in wireless communications
and pen- based commands will soon be followed by their own forms of crime. The
crime-free shelf life of a technology, the time before people figure out how to attack,
manipulate, destroy or misuse technology, has been shrinking dramatically. The
information protection shelf life , where a security approach is sufficient, has also
shrunk. Information protection float time is gone and the stakes have increased.
Information protection is also complex due to organizational ignorance of the ease by
which information can be exposed. Ironically, organizations have contributed to their
information being threatened by making key business decisions without sufficiently
considering security implications. Outsourcing and strategic partnering can be viewed
from an information security perspective as the distribution of the most sensitive
information to sources outside of the direct control of the organization. Relatively few
organizations which have taken these (often economically necessary) steps insist
that the recipient of the information meet the information security requirements of
the parent organization. Yes, there are legal clauses regarding errors and omissions
but not a preventive security clause which states that organizations receiving this
information must show how they will meet the following security provisions and that
they will be subject to unannounced security reviews and audits.
And then there is the management problem. This can be considered as the most
important contributor to the complexities, since information protection has moved
from a technical responsibility to a managerial responsibility without this shift being
recognized. Senior executives have become the chief corporate information cops
without understanding what this means, wanting this responsibility or knowing what
to do next.
EVOLVING MANAGEMENT RESPONSIBILITIES FOR INFORMATION PROTECTION
The direct message that must be given to senior executives by IT (as well as by
auditors, members of the Board of Directors, and corporate counsel) is that they no
longer have choices as to whether or not to have information security. As
information is a strategic resource, so information protection is a strategic
requirement. The end of voluntary information protection choices is here. Reluctance
by management in supporting information security with sufficient resources and high
level backing increasingly are legally inappropriate. Non-existent or insufficient
protection of vital business information is the road to personal and organizational
destruction.
Some of this management responsibility has resulted from CEO s who become the
public symbols of their companies. Frank Purdue and Lee Iacocca are two leading
examples. They were held responsible for the good as well as the bad of their
companies. Blame fell directly on the boss and that included blame for situations that
were out of their control or their ability to prepare for. Thus, the CEO s of Exxon and
the makers of Tylenol became the chief spokespersons when crises hit their
companies. And so will your CEO likely be grilled by the press and stockholders as to
why sensitive information was stolen, customer lists were copied, operations ceased
due to the virus, or business was lost when the fire destroyed files that were not
backed up. Those are natural media stories that will get big play and cause public
relations nightmares. Think about the Exxon Valdez with its oil spill and then think of
your company's potential Exxon Valdez information spill.
Information crime control as a management problem is also developing in legal
terms. There are new due diligence standards that have evolved, often causing
chagrin among executives who find out that they are legally exposed for actions
which were previously considered as allowable. In several recent cases, CEO s and
other high ranking executive have been stripped of their professional futures. In May
of 1993, for example, an SEC settlement banned Frederick H. Joseph, the ex-CEO of
Drexel Burnham Lambert, from ever running a securities firm again for what the SEC
said was his failure to respond to red flags that should have alerted him to the illegal
activities of Michael Milken. The Wall Street Journal (May 5, 1993) suggests that by
the settlement, the SEC appears to be spelling out a new policy that top executives
have a duty not only to stop illegal activities once they discover them but to
thoroughly investigate hints of wrongdoing by subordinates.
One of the most direct statements of upper management s new crime control
responsibilities is found with the Federal Sentencing Guidelines. The guidelines are a
set of decisions by which judges set punishment levels for individuals as well as
organizations which have violated federal laws. The guidelines developed for
organizations give senior management responsibilities to prevent, detect, and report
crimes. Failure to accept those responsibilities can result in fines of over $200 million
and, under certain circumstances, corporate probation, where the courts will take
over operations of an organization in order to ensure that it is in compliance with
laws and regulations.
Since so many workplace activities are now computer-related and since information
is the key resource for many organizations, the computerization of many traditional
crimes means that information security can be considered as a requirement. The
need for management to prevent, detect, and report crimes has become an
information security mandate. [See the Sidebar story for more details on the Federal
Sentencing Guidelines.]
SELLING MANAGEMENT ON INFORMATION PROTECTION
For IT as well as information security managers, selling information protection can be
even more important and even more difficult than the complexitiesof the technical
safeguards. Selling information protection is fraught with political considerations,
involves people skills, and the rules are less clear than technical decisions.
What is necessary is to articulate the management problems of underprotected
information in management language and management terms. Information
protection is not an easy sell and is not easy to understand. Here are some ways to
help management understand the problem and to get them to provide sufficient
attention and resources.
Understand Management Views on Risks. Start with the view of the audience. What
ideas, stereotypes, worries, or misconceptions do they have about risks in general
and information risks more specifically? Common thoughts that senior managers
have include:







I've got more important risks
It can't happen here
It's not my problem
I'll deal with it when and if it becomes a problem
We are spending huge amounts of dollars for technology and more is not
available for less important support activities
The techies have taken care of the problem
If a problem occurs, we are covered by insurance or we will pass the cost on
to others
Your task is to let them know that these thoughts are dangerous to them as well as
to the organization. These are security myths which need to be discussed since they
interfere with the development of sufficient resources and program activities.
Discuss Cost Benefit and ROI Strategies. Do not deny but use the fact that
information protection costs a lot, does not directly contribute to profit, and does not
provide a clear return on investment. To deny or try to avoid these issues is to
present a negative business case. For example, no one knows what is the best costbenefit ratio that leads to X number of dollars producing Y amount of information
being protected. Information investments require a value-added perspective and
information protection must be evaluated on the same basis. While cost-benefit
decisions are important, make the case that the nature of information and the types
of threats that occur require an insurance-type view by management. It can also be
useful to create a clipping file of computer crime losses which can be distributed to
managers on a periodic basis to remind them of the large costs and consequences of
not adequately securing information.
Link Information Protection and Total Quality Management. Information protection
contributes to an organization s quality. Information confidentiality, integrity, and
availability- the key objectives of security efforts- provide an organization with clean
information. Managers need to hear how information security is an important but
often overlooked ingredient in any organization s quality effort. Employees need to
hear how their following of information protection policies and procedures is part of
the larger effort to maximize products and services to customers. Quality leaders in
organizations need to appreciate that there are hidden resources in the security
effort which can help their efforts. (An upcoming article by this author in Beyond
Computing will explore this issue in more detail.)
Define Management Tradeoff and Choice Considerations. Work with management to
determine the best strategies for information protection. Non-technical managers
may not realize that there are many decisions that they must make in order for IT
and information security to develop an effective information security program. These
decisions involves tradeoffs, such as whether the information security program will
stress prevention before vs. detection after a crime occurs. Prevention is costly and it
is difficult to know how much is enough. Detection may not recover losses, negative
publicity may occur, and preventive measures may then have to be put in place.
Similarly, management decisions need to be made about the degree to which
information security will be a centralized vs. a decentralized activity. Downsizing
means that corporate staffs are disappearing and decision-making is moving
downward in organizations, raising critical decisions on how best to manage
information protection.
Balance Production and Protection. Security can interrupt workflows and counter the
efficiency and effectiveness that computers allow. An organization which emphasizes
production over production may suffer losses while an organization that emphasizes
protection over production may fail. An appropriate balance needs to be reached and
that occurs through intensive discussions between IT, general management, and end
users. Decisions will need to be made on how to reward employees for achieving
both production and protection. Considerations will also have to be made on how to
audit and secure information during those critical times and for those critical
activities when production needs become paramount, such as during the end of the
year rush.
STRATEGIES FOR MANAGING INFORMATION PROTECTION
If you have been able to make a successful business case for information protection,
the final point that needs to be made to your senior executives is that they don t
have to become information security managers in order to manage information
security. What they need to do is make sure that an information protection program
succeeds.
Let them know that information protection is an on-going concern and not a oneshot effort. They need to show leadership by writing a short memo to all employees
indicating that information is increasingly at risk and that all employees must support
corporate information security policies and procedures. They need to show advocacy
by instituting a security impact statement requirement so that, prior to major
technical enhancements or key business decisions, appropriate questions will be
raised about security complications. And they need to show to all employees that
everyone now owns the security responsibility--Whether They Want It Or Not Whether They Understand It Or Not Whether They
Have Time For It Or Not When it comes to s-e-c-u-r-i-t-y, U -R -IT is the key
management message.
SIDEBAR: SUMMARY OF THE FEDERAL SENTENCING GUIDELINES
The Federal Sentencing Guidelines are a set of rules for Federal judges on
appropriate punishments for individuals and for organizations found violating criminal
laws. According to the guidelines, organizations have a responsibility to maintain
internal mechanisms for preventing, detecting, and reporting criminal conduct. Ethics
statements and policy announcements alone are no longer considered as sufficient.
Specific actions and effective programs will be the measure of how an organization
will be evaluated. Faulty judgment calls by management and/or an environment that
allows such judgments to be made by agents of the organization have the potential
to become considered as crimes. In essence, the guidelines spell out new due
diligence requirements for senior management.
The guidelines offer a carrot as well as a stick for organizations. The carrot is a
suggested model program for crime prevention, detection, and reporting. An
organization that develops a program based on the model can minimize legal
liabilities even if a crime occurs later. The existence of the program elements serves
as an indication of good faith efforts toward crime control. The carrot? Hefty fines,
negative publicity, and, under certain circumstances,
corporate probation.
Due to the computerization of work processes, financial or business crime are
increasingly computer-based crimes. In that sense, many of the crimes that the
guidelines evaluate are, in essence, computer crimes, even if they have not been so
defined specifically by the law. Further, the U.S. Department of Justice has requested
that the U.S. Sentencing Commission specifically address computer crimes by
considering an amendment regarding computer-related offenses. The Commission is
considering this request and a draft amendment has been made available for public
comment. Computer crime will increasingly become an active consideration under
the guidelines, whether indirectly as now stated or more directly with new sections.
Avoid serious liabilities by reviewing whether your organization meets the guidelines
by:




Reviewing if your senior executives are meeting the new due diligence
requirements stemming from the guidelines as well as other legal and
regulatory changes
Developing a liability prevention plan for your organization to maximize good
faith efforts for crime control as defined in the guidelines
Evaluating your information security and other forms of employee crime
deterrence to conform with Guideline recommendations
Maximizing an effective information security awareness program and other
crime control communications to employees as specified in the guidelines.
The guidelines are one of a number of government initiatives which seek to control
business crime. The legal trend is clearly toward more direct management
responsibility. Be forewarned.
©Sanford Sherizen