Gartner Blog Network

Harvard Business Review Posts Terrible Advice for CEOs on Information Security

by Paul Proctor  |  June 19, 2013  |  9 Comments


Earlier this year I wrote about 2013 is the Year for Hard Change in the Risk and Security Profession.

Then I recently read this blog post from HBR with shock. Does Your CEO Really Get Data Security? This HBR guidance has so many things wrong with it, I don’t even know where to begin, but let me try.

  • If you follow this advice as an information security professional you will at best be completely unproductive and at worst get fired, immediately, and with prejudice.
  • It is based entirely on fear, uncertainty, and doubt (FUD) which hasn’t worked for 10 years. Although it is still very common and it can serve a limited purpose, ask any professional and they will tell you FUD is not productive.
  • And even the FUD is comical. “This is wartime,” “Hire NSA-style, Military-grade cryptanalysts,” and “The CSO is arguably a more valuable asset than the CFO.” Yeah, that’s going to resonate.

Gartner’s core guidance after tens of thousands of interactions with risk and security leaders across every industry and size of organization can be summed up as:

Risk and security officers must act as the facilitators of a balance between the needs to protect the organization and run the business.

This is not rocket science, see How to Get Funding for Your Security Program. Let me walk you through some of the HBR guidance and tell you why you should never, never do this.

  • He suggests that if your CEO pushes back over the criticality of the risk you should “Just laugh”. Now in all fairness, he sets this up as some dystopian fantasy where the security officer gets to run the company for 10 min. I get it, but what I don’t get is that, as professionals, we are working hard to help organizations understand how to effectively communicate to non-IT executives. This writer on the other hand thinks you should treat them like idiots. In his fantasy, you get to fire the CEO because he doesn’t appreciate the dire nature of the infosec situation.
  • “The CSO is arguably a more valuable asset than the CFO because breaches cost a lot of money; the ROI on security, as risk analyst Don Ulsch states, is "the value of your company." He goes on to reference the Sony breaches. Well, Sony is a pretty good example of a very expensive breach with material ramifications to their business, but I hardly think Sony’s business troubles would be resolved if the CEO dropped all the worthless attention on “consumer products strategy” or whatever, and focused on the real problem, information security.
  • “Remind the board that in a war, the company needs a warrior mentality. The CSO must make use of covert strategies and hire NSA-style military-grade cryptanalysts.” Seriously? This reminds me of the 2008 Hannaford grocery store chain when the CEO promised "military-grade security" at his grocery stores! I hope that investment bought customer loyalty because it sure as heck was overkill and overspend from a risk management perspective.
  • “Finally, the CSO must be given authority over people, processes, and technologies.” Folks, we tried this for the last decade and we know IT DOES NOT WORK! Technical IT people telling executives that can’t have iPads and marketing departments they can’t connect to social media is lunacy, not effective security.

This is really shockingly bad, bad advice for CEOs. I have written previously about security officer failures. This amounts to scaring the hell out of your executives and forcing them to invest heavily (and poorly) in information security.

Gartner clients can watch the global keynote from the Gartner Security and Risk Management Summit on June 10, in Washington DC on I’m seeking to get this posted on YouTube for those of you that are not Gartner clients because it is the most effective rebuttal I can suggest for this drivel.

The author suggests all kinds of career limiting moves that accomplish nothing but perpetuate outdated stereotypes that minimize the value a competent IT risk and security officer can bring to a company.

I’m not just pushing back against this HBR blog post, I’m pushing back against the existence of this type of thinking in the marketplace of ideas. It is NOT helping.

What do you think?

Follow me on Twitter (@peproctor)


Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Thoughts on Harvard Business Review Posts Terrible Advice for CEOs on Information Security

  1. Bernardo Rodrigues says:

    In all fairness I have to say that I just recently started studying info security and that for that matter I’m still a bit green on the subject but honestly, when I read this I just had to laugh… As far as my memory goes I recall my teacher giving great relevance to the “least privilege rule” in systems, which at the time seemed to be sort of a pillar to the whole infosec paradigm in systems… Well, if you give a human control over everything and everyone, you’re just being naive, that’s just common sense; he most likely will fail or do something stupid, as humans do and compromise the whole idea of security.
    It’s very shameful to me, a future worker on the field of infosec to see security professionals saying things like this…
    But well, that’s just my two cents.
    Great post by the way.

  2. gunnar says:

    “Hire NSA-style, Military-grade cryptanalysts”

    Why stop there? Shouldn’t the CSO also demand a squadron of fighter jets, and a sub or two, because hey you never know how the attacks may come at you.

  3. Paul Proctor says:

    @gunnar, You sir are a thought leader!

  4. Paul Proctor says:

    Bernardo, you are in the 30%! Welcome to the profession. We need more of you.

  5. gunnar says:

    @paul – enjoyed your post, your first bullet point says it all

  6. Don Ulsch says:

    1. Re: FUD. I disagree with you observation. Every time we conduct a breach investigation the target company has had insufficient FUD.
    2. This relates to my comment about Sony and the CSO v. CFO. You took my comments out of context. We see a lot of breached companies. In most cases the CSO, CRO has attempted to enhance security but without success. The reasons are often similar: insufficient funding, lack of FUD among the board, CFO, CEO. When we discuss the risk impact of a breach with the board or executive management, my experience shows that they were not aware of the level of threat. This is certainly the case with Liberty Reserve and its impact on companies without sufficient knowledge of the threat. A little more FUD would have prevented impact to some of the companies that we have seen. Neither the CFO or CSO were aware of the threat.
    3. The idea is to get the CSO and the CFO working together, both understanding the threat, the risk, the impact of the risk, and funding the ability to mitigate the threat. My point was that a CSO, armed with a proper budget and authority, may be able to reduce the impact of an attack. It helps to have the CFO on board, but threat mitigation is the domain of the CSO.
    4. Many companies have not sufficiently elevated the role of CSO, especially in the middle market. Many such companies do not even have a CSO.
    5. We recommend the formation of executive risk councils inside companies in order to raise the level of awareness about threats and vulnerabilities.
    6. There is a cyber war going on. Ask China about its Project 863 program. The US is target number one. This should elevate the FUD discussion to any company possessing intellectual property and trade secrets.

    Anyway, I appreciate reading your blog and enjoy it.


  7. Paul Proctor says:

    Don, thanks for responding. I like a good conversation about critical topics.

    Just to be clear, I was quoting Dr. Plant who was quoting you, so sorry if that didn’t provide all of your context. That’s why I love hyperlinks so people can connect and develop their own opinions with full context.

    However, I still think the post was one of the worst examples of the wrong type of FUD and would love to have a full thoated debate with Dr. Plant because I also have had a lot of experience with F500 boards and he is barking up the wrong tree. Yes, that was a little plant humor. Unfortunately, he has not seen fit to respond in either his blog or mine, but HBR continues to repost this tripe.

    You and I are in agreement about one thing though. FUD has it’s place and executives are not sufficiently connected with it. However, there is a material difference between “oh god, oh god, we’re all going to die” FUD and a defensible connection between IT risk and corporate performance FUD. The first is what I call the thrill ride, the second supports better business decision making around a balanced approach to addressing infosec threats. One plays well in the board room, the other is better fit for an action movie trailer starring Bruce Willis.

    We are also in agreement that the CSO and the CFO need to work together. But I believe the CSO needs to up their game to be relevant to the CFO, as opposed to the CFO needing to understand that “oh god, oh god, we;re all going to die.”

    The biggest limitation to the FUD that is advocated by Dr. Plant’s post is that the approach does not establish any useful foundation to address the issues after the point is made that, in fact, we are all going to die.

    The bottom line is that understanding the threat is only the first step in the 12 step program. Security professionals have been ringing that bell exclusively for 20 years and it hasn’t worked yet. In fact, it has turned off many of our co-workers in other roles. Advocating that we just yell louder because they still don’t get it, is not a productive path.

  8. Robert Plant says:

    Paul, I read your review of the article with interest and you make some very valid points, that was the idea, to be controversial and write an article based on a scenario that would just get people fired up and thinking, leading to a more general discussion among the general readership. I admit it was a more extreme piece, but if I had just suggested that the in house tech team with consultants were capable of defending the typical organization that would not be very interesting or helpful either, I’m sure the recent events have made ex-NSA technologist salaries rocket. Clearly, the situation in this post is never going to happen and yes, you would never replace the CFO or CEO based on this criteria. (Also, it was impossible to fully contextualize Don’s quote as we only have around 600-800 words.) However, just like cloud, data centers, the net and other areas CEO’s as I’m sure you know often have limited aperture and so is the case with security, at least until the last few weeks. I’m very well aware of the problems in establishing credibility of the tech group in the c-suite and this is and continues to be a huge issue, it was not my intent to denigrate the office of the CSO rather the opposite, however perhaps this got lost along the way. Again, thanks for the comments and I look forward to following your blog.

  9. Paul Proctor says:


    You sound so reasonable! I’m disappointed. :) Of course I’m not. I’m also not surprised. I expected you were going for the shock factor which ultimately I appreciated because it gave me the opportunity to give an equally animated response.

    The one downside is the number of people who really think this is the way to go. I see a lot of board presentations and they are filled with FUD because that is all the security officer knows. It is sad and unproductive. Unfortunately there will be people quoting from your post and backing up their position that “oh god, oh god, we’re all gonna die!” On that score, I wish you had a disclaimer or something on the post.

    In any case, thanks for responding. I look forward to seeing more of your work as well. Hopefully next time we will be on the same side of the debate.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.