A UNIVERSITY PAL OF MINE — a corporate lawyer at a major, publicly traded company — has been watching all of the corporate-integrity meltdowns from his not-so-distant vantage point. Just for fun, he helped me devise a quiz of sorts to check out the "uprightness" of my own situation at my company. I was shocked and disturbed enough with my results to share them here (under the protection of anonymity, of course).
Maybe I'm a good Samaritan, but I hope our times offer an opportunity to change some corporate thinking. Take this little business hygiene quiz with a few of your trusted colleagues over a latte or two. And since catharsis is good for the soul, I'll share my answers with you here. I used a scale of one (not so much) to five (absolutely) to get a numerical sense of where I stood.
To start, does your business depend on a complex technical environment with significant uptime reliability?
Aren't we all increasingly reliant on a networked environment with nodes, access points and critical intersections in places that we can't see or control? Uptime reliability is important for everybody these days, but it's an expected cornerstone of businesses that feel they need to hire a CISO. I give myself a four on this one.
Does your company have operations in any developing countries?
Many companies have core business processes located in countries below the earth's beltline. Security risks exist there that make knowledgeable security professionals twitch every time their phone rings: kidnappings, corruption, incompetent and criminal law enforcement, Internet crime, organized crime, drugs, money laundering, an overall unsafe environment with too many Foreign Corrupt Practices Act temptations. But what are you going to do? The labour is cheap and we have to be competitive. My company is moving in that direction but not there whole hog yet. So I'll give us a three on this one.
Would you characterize the velocity of your company's business as high-speed?
How about warp speed? How else can we continue to satisfy Wall Street and our fickle shareholders? We're all being pushed to do more with less. And there's so much going on in the back draft of this fast pace, I wonder what the hell else I'm missing. I'll take a five on this one. I'd take a six if it were allowed.
Do you forgo a criticality rating to identify shortcomings in business controls and security measures?
With all the open books and disclosure emphasis these days, the lawyers are really nervous about recording any risk information that could come back to haunt us. As a security professional, I've always lived with criticality ratings — it's all about the likelihood of problems we need to be prepared to address. But I know for a fact that we have no organized process for doing this across the business. In the aftermath of Sarbanes-Oxley, our auditors now rank their findings; but that's ex post facto and, besides, an audit is cyclical and periodic. This is all about what keeps knowledgeable risk managers awake at night and what we are missing. I'd better take a four (and hope for the best).
Does your corporate risk-management model discourage individual managers from seeking out vulnerabilities in the system of controls?
My company doesn't have a risk-management model, per se — and then blame is typically parcelled out to the lowest common denominator. I'll take a four on this one, too. (This isn't shaping up well is it?)
Are managers ill-informed about what to look for on control deficiencies or cues on risky behaviour?
There's not a lot of sharing here, especially concerning errors or incidents. After all, who wants to shoot themselves in the foot? We have an active infosecurity awareness program, but it hasn't been integrated into any of the training and employee development programs we run on a continuous basis. HR owns management training, but it doesn't recognize that the manager's job has a core risk-management component. And what's the first question out of the CEO's mouth when it hits the fan? "Who's the manager of this disaster?" I can't vouch for manager awareness across the board. So let's score a three here.
Are there unaddressed vulnerabilities in your company's safeguards or other such exposures that could be exploited?
The fact that this question has to be included speaks volumes about the maturity of risk management. Of course there are known gaps! And it's the people who work here who know where to find the holes. The guy who is empowered to do you the most damage already works for you. The developers leave open doors in our applications, and our LAN administrators have the keys to the kingdom. There's no one place where all the data comes together to enable those of us on the firing line to see where the interconnections and interdependencies may exist. Besides, I get paid to think about "what if," so scoring anything less than a five would be dishonest.
Do you worry whether the people your company hires in sensitive positions (supply here your local definition of "sensitive") tell the truth about their personal and professional histories? I know damn well they aren't truthful because I do the background investigations. The problem is that we manage this process for HR on selected hires; and if the hiring manager is senior-level enough or the position critical enough, a candidate with a bad background will get hired anyway. I've kept score on these bad hires, and about two-thirds of them are gone after two years — a number of them because they didn't have the competencies that they advertised coming in. I also know that they've lied through their teeth concerning their prior compensation to pick our pocket. But I really worry about the day when the press gets wind of serious malfeasance by someone on the payroll for whom we have a derogatory background report. The process here is a farce, but I've been unsuccessful so far in my attempts to influence it. So I'll take a solid, but unapologetic, five here.
Does your company outsource any business processes that contain sensitive information or other valued assets?
All our customer communication is through a vendor-based phone centre in another country. Our legal department, purchasing and facilities are also all contracted out. And now I hear that they are entertaining the thought of having HR outsourced along with significant elements of our IT infrastructure. I'm turning into more of a contract manager than a security officer. We have become more of a virtual corporation than real one. And the numbers guys love it! I know that these vendors see some of our most private information and business processes. Since I'm paid to worry, I'll give us a four.
Has your company failed to perform due diligence on its vendors' systems of control over company assets?
I've gone through the procurement files on several recent deals. The only evidence of any due diligence was financial in nature. Of the five files that I examined, only one had executed a nondisclosure-confidentiality agreement. Of greater concern was the total absence of a technical due diligence for three vendors that provide software development and sales support services. Both situations allow online access to highly sensitive proprietary information. Moreover, these vendors are on our network, and we don't have a clue! Anything less than a five here is kidding myself.
Do messengers of bad news get shot? And is there a reluctance to escalate concerns on integrity to senior management?
Think about why Time magazine selected three whistle-blowers as its Persons of the Year for 2002, or why Sarbanes-Oxley needed to repeat the whistle-blower protection put forth a mere 10 years earlier in the Corporate Sentencing Guidelines. And isn't it interesting that Sarbanes-Oxley put special emphasis on the protection (nay, encouragement) of lawyers and auditors for reporting wrongdoing?
You might think the bigger the fish, the greater the disappointment for transgressions. Not so. I've noted along the way that, when it's a little fish on the hook, senior management pauses only long enough to consider whether to fry it or bake it. Catch-and-release for the select few (the big guys) is more often the case. It is a fraternity after all. And CSOs learn quickly that they have to build a bulletproof case for the chosen ones. Sad to say, I'm inclined to look the other way on this one and give us a three.
When things go wrong, are the lessons learned vastly ignored?
Unfortunately, yes. Why would a success-oriented executive put his reputation on the line and 'fess up to a big-time boo-boo? Think about it. That's why it has to fall to the governance organization to complete the circle. The audit committee is a wonderful place to get things on the record that can't easily be trashed, especially in this post-Enron business environment. But if you continue to shoot the messengers, how do you expect to calculate anything in sufficient enough detail for the auditors? It's tricky, but there is a real incentive from Sarbanes-Oxley to protect data. Score us a four on this one.
So, what's your tally? You had 12 questions that could have given you a possible score of 12 to 60 points in total. I scored a 49 — which puts me into the 80th percentile on the bad side of the equation. Am I concerned? Hell yes! But I just got my bonus check. And I'm going to take the advice of my lawyer friend and burn these results.
This column is written anonymously by a real CSO.