C-level execs need to rethink IT security

Researchers advise C-level executives need to rethink IT security: make it a key component of overall company strategy. Until then, more data breaches are inevitable.
it security image lock.jpg
 Image: iStock
Target’s data breach has sent the message “we need to talk” to C-level executives and IT managers throughout the business world. To get things moving, Syed Ali, Vishy Padmanabhan, and Jim Dixon of the management consultancy Bain and Company co-authored the report Why cyber security is a strategic issue. In the report, the authors start the ball rolling:

“With stakes so high, CEOs and boards must begin to think about security in a new way. IT security—a task that could once be delegated to the IT staff—has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster.”

The paper’s authors, before discussing the new way of thinking, look at the current security landscape.

Companies are more vulnerable

According to the report, the amount of money spent on shoring up a company’s defenses does not reduce the likelihood of a data breach. Something else the report highlighted, “An increasing number of organizations are being targeted directly with financial gain as the primary motivation resulting in the loss of sensitive data that can easily be monetized.”


C level disconnect 1.jpg

The next finding reflects what recently happened to Target, “Organizations are having a harder time detecting and resolving security breaches, and the average financial impact of each breach on an organization is increasing.”


C level disconnect 2.jpg

To be fair the Bain report was released before the latest news reports proclaiming that Target personnel were warned about certain security anomalies early on, and for whatever reason, chose to ignore them. In any case, the bad guys are not sitting still. They continue to perfect their craft.

New cyber security challenges

The bad guys are going where they get the best return for their effort. So in the quest to run companies more efficiently to save money, companies could be making it easier for the bad guys.

For example:

More digital assets: Due to increased capabilities, companies are now harvesting more data from customers including personal, financial, and transaction information. Then consider all the internal data every company needs to function. The report mentions the authors’ concern that company officials do not understand the value bad guys place on both types of data.  

Shift to hybrid cloud architecture: The move to cloud services, whether private or third party, locates the digital assets out from the company’s data center to remote locations. Being relatively new and untested, the security ramifications of using cloud services are not fully understood.

Pervasive use of mobile devices: Whether mobile devices are company-owned or BYOD, they introduce new security challenges that will require a new methodology to manage the devices and how they access and store company data.

Compliance should be the starting point: This point is of special interest. The Bain researchers depart from what most organizations consider adequate security—that of complying with all required agency regulations:

“Compliance should define the lower bound for security capabilities while the upper bound should aspire to meet the organization’s strategic priorities, including IP protection, continuous operations, and a secure corporate reputation.”

C-level execs need to rethink IT security

The coauthors do not pull any punches, bluntly saying that CEOs and boards must look at security in a new way:

“IT security—a task that could once be delegated to the IT staff—has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster.”

The Bain report coauthors stress the importance making IT security a strategic concern because a large percentage of organizations suffering through data breaches recently have had formidable security measures in place. Yet, they were not enough to keep the bad guys out of the company network.

The report then offers a reason why this is the case, “Too many organizations fail to align their IT-security capabilities with the company’s larger goals and appetite for risk.”

Recommendations from Bain

The Bain Report came up with several recommendations to help ensure C-level executives and IT departments are on the same page. If one looks closely at the recommendations, a common thread appears—business and IT leaders need to communicate with each other in an understandable manner:

  • Understand the organization’s key assets and appetite for risk: Business leaders and IT departments must understand and agree on “value versus risk” assigned to key assets, in particular customer data.
  • Identify the security risks and gaps: C-level executives and IT departments must be on the same page when discussing the company’s current security capabilities versus perceived security risks.
  • Define the cybersecurity strategy: The IT department does what it is good at: develop a plan to meet the strategic needs agreed upon by both business and IT management.
  • Emphasize gaps, priorities, and strategy to the CEO and board: This recommendation places the onus on IT departments to explain the risks, potential and existing, in a manner the top-company executives understand.
  • Engage recognized security specialists: The complexity of the Target breach should help everyone understand that it is impossible for any one IT department to know everything, and using outside experts is the cost of doing business.


Information is my field...Writing is my passion...Coupling the two is my mission.


First the the point of the column is fair.  The column itself and some of the Bain examples and language explain part of the problem.  Terms such as...IT staff... IT department...Once could be delegated to the IT Staff... are clear indicators the the issues, impact and ownership are not understood.  The business has to own a great deal of cyber security.  Strong cyber security is table stakes for business today.  PCI compliance is not necessarily strong security.    

Effective information security/cybersecurity is driven by the business requirements, regulatory requirements, management's risk assessment, training, funding and execution.  The CIO/CISO and their team are key players in the effort.  Strategy, policy and governance are set by senior management with assistance and advice from the CIO/CISO.  The CIO/CISO can execute to various levels subject to budgets, technical execution and the risk assessments.  The business owns quite a bit of cyber security execution, data protection and other security issues.  For one, a great deal of IT is in the business outside of the control of the IT organization.  The business authorizes users to applications and data.  The business connects and communicates with partners and customers.  

Overall pretty good thought provoking column.

Mike Carpenter CEO


This will happen when their bonuses and options are tied to it, or when one of them is finally put in jail because of a data breach.  Too many C level managers quite frankly don't "get" IT and many of them are actually proud of their ignorance.  "I got people for that."  Yeah - people you ignore when it might impact your performance bonus.


For healthcare companies, all 100% of the potentially targetted information are viable targets.  And the PHI might actually be the higher risk since they have SO MUCH of it stored.


Thanks for sharing this article.  It provides good insights on what's needed for Information Security.  

It's nothing new though.  I said it back in 2006 in Information Security Magazine article, "Thinking Ahead" (
"In a nutshell, security is now about risk management," says Ron Woerner, information security manager for ConAgra Foods. "You cannot properly manage risk at the operational level. You must be at the strategic level in order to match the severity of threats and vulnerabilities with the business' risk appetite. This shifts the knowledge and experience requirements for information security from the technology to the business."

And in 2007 in the PriceWatersHouse Coopers Global State of Information Security (

"Woerner and others believe that the security discipline has so far been skewed toward technology—firewalls, ID management,intrusion detection—instead of risk analysis and proactive intelligence gathering. [p. 5]"

Oh, if only people would listen...

Part of the current problem is that security and risk management people only have any corporate visibility once the proverbial brown stuff hits the fan. That’s their only chance to become heroes in the eyes of management. Recognizing, Locating and Fixing the damage done after a breach or compromise.

Think of departments such as CERTS, or CSIRTS – Emergency RESPONSE, Incident RESPONSE… With full focus on waiting for something to happen and responding to direct threats, re-active as opposed to pro-active. SIEMS let you know that something happened, all now-warning, not Fore-Warning.

When Security staff is being recognized and rewarded on NOT having any incidents, a bit like the story on the Chinese health physicians, who get paid as long as their client (patient) remains healthy… then they could finally fully re-focus on what they should be doing - preventing instead of correcting

What it requires to be pro-active is knowing what you otherwise would not know.

What I mean with that is the following: Imagine you’re asleep at night and an escaped murderer, a psychotic Killer, is at your backdoor. Because you are sound asleep, you have no clue your belongings and even live of you and your loved ones may be at stake, once the person at your backdoor decides to try to get in. Because you don’t know the threat, you have not taken extra precautions to lock and bolt the door, because nothing happens anyway, it’s a safe neighborhood. For you, there is no threat at all. You don’t know what you don’t know.

If you would receive a warning up-front that a person could be a possible threat, and he is around your neighborhood, you would know, and take pro-active action. Such as making sure your house is secure
and all doors and windows are locked and bolted down.

The same with Business and Technology Risks. If you are warned in time of a possible weak spot you can secure it, or decide to run the risk. But at least you know.

Now, business risks can be compared to a balloon. It’s your job as a Risk Manager to defend your balloon against any threats such as (hacker) pins. They can come from anywhere, and hit the balloon at any point, at any time. So, your defense must be based on protecting that balloon 360×360, 24×7, 365 days each year. You need to protect the full surface, while a hacker only needs one pin, hit one weak point ANYWHERE and the whole balloon collapses, taking the whole business to a grinding halt.

And here comes the second problem. Most Security and Risk people do NOT know the new threats. They know of some, as most technical people they devised their own system of sources, RSS feeds, email lists, chats with colleagues, etc. etc. and feel they are well informed. That they only know some; that they don’t know what they don’t know means any other pending threats and risks simply don’t exist in their own minds. Happily asleep at night, until suddenly they are rudely awoken.

Waking up when it’s already way too late. When they should have known and have taken measures before. Instead, they suddenly become center of the panic attention, working day and night to find out what happened, trying to retrace the paths taken by the cybercriminals, trying to re-assure integrity of the data and systems (perhaps a backdoor is built in), while management scrambles to try to contain reputation damage, angry shareholders and upset customers. And the business is losing money hand over fist.

If you don’t know there may be a new threat, for instance one that requires patching, your balloon is at risk. If another business in the same industry as yours is hacked, you need to know this to be extra aware. If a new hacktivism action has started, aiming at businesses in your country, you need to know. If a new spear phishing method was used to attack a similar organization as yours, you need to know. Threats can come from anywhere, think of the DigiNotar Certificate provider debacle in the Netherlands, or the recent Target and Neiman Marcus breaches, etc.

Coming back to the in-house system the security or Risk officer built to be informed, its RSS feed, or whatever they did to re-invent the wheel (as EVERY risk Office faces the same issue) the third problem comes up. Either way too little Information, or Information overload.

All technical staff love browsing the internet. Business management has not got a single clue what those technical employees are doing, they say they are busy watching for new threats, so C-level thinks they must be doing a good job. Wrong. They are wasting company time and money, while they give the impression that they are effective in what they are doing. Security and Risk staff should know that they know, and be focused on pro-actively protecting their organization. No amateuristic fluffing around pretending to be a white hacker. They need to fix ALL weak spots in their balloon, every day, all the time.

Say, the security officer receives a couple of hundred RSS feeds, generating thousands of items, each one a possible risk or threat, but only a fraction relevant for your organization. The only way to know, is to inspect each of them, and as a new threat can emerge anytime anywhere, they need to keep track of them the whole time. Now, the Security Officer also deserve the weekends off for their family. But the threats keep coming. So, on Monday morning they arrive fresh at work, and some 6000 RSS items are waiting. With possible one or two that need their immediate attention. Hidden somewhere amongst those 6000. But, they do not know which one. So they need to check them one by one. In the meantime something else comes up, continuing checking later in the day. Until they suddenly get hit by an item that indicates that the whole company is at immediate risk. Pity that they only knew 3.30PM, while they should have known Saturday evening, when it first showed up. Too little actionable intelligence, too late.

What they need is direct access to Relevant Actionable Intelligence. No White Noise, hard direct intel on Anything that may threaten the success of their organization. Something or someone that is watching out for them 24×7 and immediately informing them when there is a possible threat or risk, Leaving the Security Officer and Risk Manager to be effective in protecting the organization from future threats. 

Fore-Warned is Fore-Armed.

Michael Kassner
Michael Kassner


Do you think IT departments need to help by explaining the the situations in terms were the C-level execs understand? 

Editor's Picks