Need to convince corporate leaders with objective measures of security's value? Start here.
US President Harry S Truman said in his farewell address in 1953: "The President has to decide. He can't pass the buck to anyone." Now that's an adage all executives might consider carving into their desks (if not their very souls) as the torrent of cyber attacks continues to highlight corporate vulnerability to IT security threats.
The days when executives could profess ignorance and happily pass all responsibility for security to their IT professionals are long gone. No executive can fail to be aware of the mounting toll data theft, virus and worm attacks and other security intrusions are taking on corporations struggling to keep up with the army of cyber villains intent on exploiting their technical knowledge to inflict maximum damage whenever and wherever they can.
In 2003 alone, the Australian Computer Crime and Security (AusCERT) Survey shows, 42 percent of corporations fell victim to one or more computer attacks that harmed the confidentiality, integrity or availability of network data and systems. Financial fraud, laptop theft and virus, worm and Trojan infections caused real losses, yet a dismal 11 percent of respondents felt they were managing all computer security issues reasonably well. This should worry those at the top, since all executives could find themselves potentially liable in the event of a catastrophic security breach.
Experts warn that increasingly, executives must consider themselves chief information security officers, and recognize that as with any other cause of business disruption, if IT security adversely interrupts business it is, ultimately at least, their responsibility.
Following are some of the things all executives must know, and some questions they all must ask.
You Are Where the Buck Stops
While no court in the land is likely to find you personally liable should your corporation choose the wrong firewall, liability for IT security is governed by precisely the same sorts of principles that govern individual liability of directors and officers for any failure to carry out their duty. It might take a significant failing in your duty to act in the interests of shareholders under sections 180 and 181 of the Corporations Act for you to be found culpable, says Sydney-based IT lawyer Chris Wood, but the risk is always present.
"IT security is a significant enough problem for business that if executives completely ignored it, they'd leave themselves exposed to claims by shareholders," Wood says. "In an extreme case of neglecting the issue of IT security, directors could have an exposure personally, because it might be said that they have gone so far down the track in breaching their duty to the shareholders that they create a personal liability."
Taking responsibility means being prepared to talk frankly to customers about any attack. In the US, the new California Cyber Security Law requires any corporation suffering a cyber attack to notify their customers, and other states in the US are looking at implementing similar laws. Likewise, says Invisus president James Harrison, new US federal laws regulating certain industries, including health-care and banking and finance, impose similar requirements. Not only must any Australian company eager to do business in the US take note, Australian law is likely eventually to follow suit.
Australian firms that choose voluntarily to ensure their security practices conform to the growing international standard ISO-17799 will have an easier time doing business abroad.
You need to make security an everyday part of IT, from daily operations, through design and architecture, policies, practices, configurations, event tracking and response, to training awareness and to driving improved risk-based metrics. Your entire management team must recognize that information is not just an IT matter, but a business matter, and therefore each business unit owner must understand how they contribute to the overall success of information security through simple, easy to implement security practices that benefit the company overall, says TrueSecure Asia Pacific vice president of operations Philip Dewar.