Getting on board with IT security

The importance of security to companies is still not given enough weight at board level.

  • E-Mail
By  Administrator Published  April 19, 2007

IT security has the potential to impact a business at every level. Few other business areas, if any, have the potential to damage customer relations, disrupt supplier dealings, lower employee productivity, lose revenue and even lead to the arrest of the CEO. And yet for many organisations, there is little visibility of IT security at board level - meaning that most executives can have limited or no understanding of this critical issue. IT security is an essential topic for discussion and has certainly earned its place on the boardroom table, but for CIOs to be truly effective, they need to become effective translators of what IT security dangers mean for the business.

The IT threats facing both small and large businesses are too numerous to list, and are becoming more and more sophisticated every day. McAfee's annual Virtual Criminology report has plotted the growing involvement of organised crime online. It has shown there are alarming consequences for the industry to face as threats become money-motivated, and businesses are faced with the prospect of theft or even extortion online.

IT lies at the heart of virtually all business processes. Threats that target the IT systems that underpin business functions, or vulnerabilities within these systems, have the potential to wreak havoc on a business. And as information (or data) itself becomes a core business asset, IT security is at the frontline in terms of assuring its integrity.

For the larger business, compliance is now a critical issue. Regulatory requirements - from Sarbanes-Oxley to HIPAA (Health Insurance Portability and Accountability Act; US legislation that covers the security and privacy of healthcare data) to Basel II and the Data Protection Act - are very prescriptive when it comes to the integrity of data held by businesses.

Failure to comply with these regulations can result in large fines, or potentially even jail terms for the business and its executives. New disclosure laws introduced in the US, and soon to appear elsewhere, force businesses to publicly announce when customer data has been compromised. The impact of this disclosure has in some cases been so severe that the company has gone out of business.

Most executive boards are undoubtedly aware of the importance of IT security to protect their business. But how many really understand the issues involved? News reports may highlight the latest threat or piece of malware but this means little without the context of what the specific vulnerabilities are for a business, particularly in relation to core assets. The board may set in place policies for the safe treatment of company data, but do they have any visibility over whether these policies are being enforced?

Undoubtedly many businesses do recognise the importance of IT security and it is indeed a board level issue with representation from the CIO. However, there are still a significant proportion of companies where the CIO reports into the CFO or CEO and, although a boardroom subject, IT security has no direct representation from someone who is living and breathing the issues. For example, a report produced by the London School of Economics, commissioned by McAfee, found that 40% of CIOs within the financial services sector report to the CEO. However, while IT security may merit direct representation at board level, CIOs need to earn the right to engage in those board level discussions - which means presenting IT security in a way which is meaningful to executives.

The board has no interest in how many e-mails are scanned each day or which version of the firewall software has been installed or what the latest Microsoft vulnerability is. To have credibility at board level, the CIO needs to speak the language of numbers rather than bytes. In the same way that the CFO presents the P/L (profit/loss) figures for the business, the CIO needs to provide demonstrable metrics regarding IT security risk and conformance to compliance.

Take the example of a credit card company. The security of the systems that house customer data is critical from both a business and compliance perspective, it is therefore crucial that the board has visibility over the security of these systems. A breach of security in any of these systems could undermine customer confidence irreparably; resulting in lost revenue and/or regulator action. The CIO must be able to clearly demonstrate the safety of these systems or provide a business case if additional resources are needed to achieve an acceptable level of risk.

As such, the key questions for the board are: What is the current level of risk to the business? Is this level of risk acceptable? If not, how can we reduce risk, what is the timeline to do so and how much will this cost? These are the questions for which the CIO needs objective metrics in order to demonstrate that either the level of risk is acceptable or that additional resources are required.

In an ideal world, IT security strategy should be set by the board, at the behest of the CIO. The CIO therefore secures vital board buy-in and the resources necessary to achieve the acceptable level of risk. Ultimately, the role of the CIO is becoming more about conveying to business colleagues the importance of IT and its security and about evolving strategies that drive the business.

McAfee’s Virtual Criminology Report 2006

McAfee's Virtual Criminology Report 2006 is the second annual study into organised crime and the internet. Commissioned by McAfee and developed alongside Robert Schifreen, author of the best selling book Defending the Hacker, it also includes contributions from leading cyber law enforcement agencies and cybercrime experts from across Europe and in the US.

The report highlights organised crime as the new generation of cyber-criminals, outlining how these gangs are recruiting people to commit hi-tech crime on a mass scale and the tools and techniques they are now using.

The report also looks into the future at the threat these activity poses to home PCs, as well as to government infrastructure and to computer systems in the financial and health sectors.

Key report findings include:

• Organised crime is grooming a new generation of hi-tech cyber-criminals using tactics which echo those employed by the KGB at the height of the cold war.

• Internet savvy teens as young as 14 are being attracted into cybercrime by the celebrity and ‘cult status' of hi-tech criminals and the promise of making money without the risks associated with traditional crime.

• Cyber-criminals are no longer lone computer geeks in their bedrooms and are increasingly operating in public places such as internet cafes and WiFi enabled coffee shops.

• Cyber-criminals are using mind games and social engineering techniques to trick users into divulging data and entire identities.

• Popular new technologies such social networking/community sites and mobile devices are attracting money-hungry malware authors.

• Increasing criminal collaboration is allowing for swifter and smarter development of attack techniques allowing cyber-criminals to avoid detection.


Martin Carmichael, chief security officer, MacAfee

Martin Carmichael is responsible for IT security, forensics, risk management, physical security, IT security engineering and compliance with regulatory controls. Carmichael also serves as the chief privacy officer for McAfee.

Carmichael has more than 20 years security experience delivering security solutions for global and domestic organisations. Prior to McAfee, he worked for US wireless handset insurance and wireless roadside assistance provider Asurion, where he also held the position of chief security officer. He has also held senior positions at Wells Fargo Bank, Nato and the US Department of Defense.

Carmichael is an expert in company threat and risk assessment methods, the design of secure environments, security problem solving and blending a business return on investment with corporate information protection needs.

Carmichael has received a number of security certifications, including CISSP (ISC2), CISM (ISACA), ISSMP (ISC2) and ISSAP. He holds a doctorate of computer science (D.CS) from Colorado Technical University, US, for his thesis focused on “Evaluating Enterprise Security Risk”.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code