Many security people are the epitome of the "it is better to be feared than loved" school, since they know they won't be loved and the fear of fines and public embarrassment is a good stick to get necessary changes though.
But IT security governance is increasingly looking like the last days of a dying empire. IT execs talked of the horror of large scale personal data that was protected by nothing more than the PIN on an iPad and several felt they lacked the power to force adoption of a policy that was even vaguely rational. Part of the blame was laid upon consumer technology "being so easy", and the expectation amongst users that they should be able to share without barriers, meaning that although IT "literacy" has increased, the stupidity of their actions has also increased.
But ultimately security isn’t about making more money, it’s about losing less, which makes bringing departments together the biggest governance headache. The “federal” nature of modern firms means we can’t just issue a central IT policy and hope it reaches users, much less gets obeyed or makes sense in their context. This leads to some policies being a mess of pious IT warnings against “clicking on pictures of dancing cats” and references to other policies in separate departments.
Governance by fanbois
Now that spending on consumer equipment massively outweighs corporate IT spend, that is where innovation is happening and users have moved from simply not caring who made their desktop to being passionate advocates of iPhones, Android etc.
The fact that I’m a (the?) Windows Phone user was a continuing source of merriment around the table, because in some firms it is felt that important users will quit if they have their BlackBerry taken away. No one thought that data breaches were preventable in this environment, while “governance” was about protecting their backs and having some sort of contingency plan for when it happened.
However, as one exec said, “you don’t understand data breaches until you’ve had one”. Written policies were derided by several execs as “just futile”. But you have to have them.
There was a clear separation as to what different kinds of firm fear. Those whose main transactions were business-to-business regarded fines as simply an irritating cost of doing business, but what they feared was damage to their reputation with their key partners. One-off data breaches seem to have little effect on consumer-facing businesses, which makes a lot of sense. Sony, Adobe and eBay have all had problems that they’ve not managed with outstanding competence, and yet they are still in business. It is almost the case now that a data breach at Sainsbury’s would attract as much interest amongst its users as a checkout assistant giving “mates' rates” to friends buying beer.
A balancing factor is that security managers have long espoused the aforementioned “it is better to be feared than loved” approach, managing to get the occasional low level droid fired for putting important data on a lost USB stick.
Divide and conquer
Part of IT governance is keeping information from one part of the firm from being seen by other parts for reasons of compliance, security and internal politics, and for a long time there has been a working relationship between compliance and IT. The problem with that has become that IT is seen as an obstacle because IT is “governed”, but users with tablets and Salesforce.com and Dropbox accounts can do what they feel is right. Since they are often “the business” (ie, the sales team), it is very hard to stop them and even to try to risk a political fight that you might not win.
Whose risk is this anyway?
All IT systems have risks and we all had good fun sharing anecdotes about naïve users, rogue employees and things that we’ve done to make things less bad. But the new world has made IT liable for risks that it does not control and it’s very hard to balance risk against upside when you don’t even know what the users are up to. Ideally this is not an IT decision at all. Several IT execs would be quite happy for this to be a straight cash decision that they merely advised on but where the right level of management, who could enforce both a technical and business decision, made the call.
If your sales are managed by Salesforce.com, what happens if one day you wake up and they are gone? How do you mitigate your risk and how long could you survive with a crippled sales team? Sure, that’s not a high probability event and it is the sort of risk management that we know and love. We balance the low implementation risk, the low risk that costs will spiral out of control against the small but horrible risk that you wake up one morning and your sales people don’t know what they’ve sold, who they sold it to or even who their customers are.
Recall that the latest abject failure of Microsoft 365 involved large scale user outages and their support being wholly overwhelmed (or having simply run away). Ironically, most IT execs seemed to trust the cloud vendors to deliver security and resilience more than their own people because the good cloud vendors focus intensely on getting it right and corporate IT is spread more thinly.
And we learned...
The difference between an IT exec and a developer or Sysop is that the problems he faces aren't so easily looked up in the manual or StackOverflow and at the round table we did manage to draw some important conclusions.
The first is that an IT exec has to manage risk at more than one level. It is not enough to produce some long scary list of every threat faced by the firm and start working through it. He must identify both the appetite for risk at the firm and which sort of risks have the deepest consequences in terms of reputation and regulation as well as financial loss.
The next is that we must do it at the same time as our control is being eroded by users with their toxic mix of nearly secure consumer tech, enough knowledge to be dangerous and their greater political clout and independence. Partly this can be achieved by making virtue easier.
We have to do this whilst shedding the image of being merely business prevention officers, else our warnings will be mistaken for both empire building and pettiness. Regulators are beyond good and evil. We can use their threats of fines and criminal prosecution to get things done, but if they bite it is our backsides they will go for first.
That final point is contradictory and balancing this is how you earn the big bucks and keep earning them.
Trust me, I'm a journalist
A bittersweet part of the round table was that the IT execs laughed more at each other's anecdotes than mine, but that meant we all learned a lot, even if we can't publish some of it.
There are a horde of people whose job is to tell Reg hacks what is going on, and every few minutes some PR sends an announcement of a stunning new CAT5 network cable, the 379 per cent turnover increase enjoyed by a client who bought some software and the triumphant completion of a government IT project where no one died this time.
To deliver you, dear reader, with the truth, or at least articles that aren't provably false, we need the input of IT execs and therefore promise to obey the Chatham House rule at our round tables, where we use what we hear, but go to lengths to ensure that no one knows who said it. So everything in this article is anonymised and sent to the round tablers to ensure that they can be open without risk. The rule also applies to the rather good time we had in the excellent bar of the Soho hotel, where the IT execs mingled with Reg writers.
A good time was had by all, but not apparently by you, dear reader. This was our first round table for people that run IT and if you think you ought to be at the next one, let us know here.®
Dominic Connor is chairman of the Register Round Tables having done very nearly every type of job in IT from coding to bossing around teams, often competently.