Earlier this year I wrote about 2013 is the Year for Hard Change in the Risk and Security Profession.
Then I recently read this blog post from HBR with shock. Does Your CEO Really Get Data Security? This HBR guidance has so many things wrong with it, I don’t even know where to begin, but let me try.
- If you follow this advice as an information security professional you will at best be completely unproductive and at worst get fired, immediately, and with prejudice.
- It is based entirely on fear, uncertainty, and doubt (FUD) which hasn’t worked for 10 years. Although it is still very common and it can serve a limited purpose, ask any professional and they will tell you FUD is not productive.
- And even the FUD is comical. “This is wartime,” “Hire NSA-style, Military-grade cryptanalysts,” and “The CSO is arguably a more valuable asset than the CFO.” Yeah, that’s going to resonate.
Gartner’s core guidance after tens of thousands of interactions with risk and security leaders across every industry and size of organization can be summed up as:
Risk and security officers must act as the facilitators of a balance between the needs to protect the organization and run the business.
This is not rocket science, see How to Get Funding for Your Security Program. Let me walk you through some of the HBR guidance and tell you why you should never, never do this.
- He suggests that if your CEO pushes back over the criticality of the risk you should “Just laugh”. Now in all fairness, he sets this up as some dystopian fantasy where the security officer gets to run the company for 10 min. I get it, but what I don’t get is that, as professionals, we are working hard to help organizations understand how to effectively communicate to non-IT executives. This writer on the other hand thinks you should treat them like idiots. In his fantasy, you get to fire the CEO because he doesn’t appreciate the dire nature of the infosec situation.
- “The CSO is arguably a more valuable asset than the CFO because breaches cost a lot of money; the ROI on security, as risk analyst Don Ulsch states, is "the value of your company." He goes on to reference the Sony breaches. Well, Sony is a pretty good example of a very expensive breach with material ramifications to their business, but I hardly think Sony’s business troubles would be resolved if the CEO dropped all the worthless attention on “consumer products strategy” or whatever, and focused on the real problem, information security.
- “Remind the board that in a war, the company needs a warrior mentality. The CSO must make use of covert strategies and hire NSA-style military-grade cryptanalysts.” Seriously? This reminds me of the 2008 Hannaford grocery store chain when the CEO promised "military-grade security" at his grocery stores! I hope that investment bought customer loyalty because it sure as heck was overkill and overspend from a risk management perspective.
- “Finally, the CSO must be given authority over people, processes, and technologies.” Folks, we tried this for the last decade and we know IT DOES NOT WORK! Technical IT people telling executives that can’t have iPads and marketing departments they can’t connect to social media is lunacy, not effective security.
This is really shockingly bad, bad advice for CEOs. I have written previously about security officer failures. This amounts to scaring the hell out of your executives and forcing them to invest heavily (and poorly) in information security.
Gartner clients can watch the global keynote from the Gartner Security and Risk Management Summit on June 10, in Washington DC on www.gartnereventsondemand.com. I’m seeking to get this posted on YouTube for those of you that are not Gartner clients because it is the most effective rebuttal I can suggest for this drivel.
The author suggests all kinds of career limiting moves that accomplish nothing but perpetuate outdated stereotypes that minimize the value a competent IT risk and security officer can bring to a company.
I’m not just pushing back against this HBR blog post, I’m pushing back against the existence of this type of thinking in the marketplace of ideas. It is NOT helping.
What do you think?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.