Information Security: Who’s Responsible

Ownership, all the business books agree, is a beautiful thing. Our president is a proponent of what he calls the “ownership society.” Many of our nation’s founding fathers believed that votes should be weighted according to how much land a man owned. A leader will encourage a sense of ownership among the troops. A skilled CIO will make sure the business feels ownership of IT projects.

But if ownership is such a critical factor in the success of any endeavor, be it a project, a business or a whole society, it’s only fair to ask, as Harvard professor and author Jonathan Zittrain did at last summer’s CIO 100 symposium, who owns security? Specifically, who owns security on the Internet?

Do CIOs own it? Well, they’re pretty busy. Do CSOs own it? Perhaps, but only within the narrow confines of the enterprise, inside the firewall, and among a defined set of partners and customers with which their companies do business. Do the ISPs own it? Ask them and they’ll say it ain’t their job. Does Aunt Mary searching on eBay for that missing piece of Granny’s silver service own it? Well, with all the emphasis on what consumers can do to protect themselves from identify theft, phishing and worms and viruses, you might think so. But you know Aunt Mary. She always uses the same password (her daughter’s nickname), and she clicks on every piece of e-mail she receives and opens every attachment. So putting our Internet security eggs in Auntie’s homespun basket doesn’t seem like such a hot idea.

The question of who owns Internet security is a critical one, but up to now it’s been distinguished only by the widespread refusal of anyone to answer it. But in “The Sky Really Is Falling” (Page 80), Senior Writer Ben Worthen interviews the cochairman of the President’s Information Technology Advisory Committee, Ed Lazowska, who says that cybersecurity—or the lack thereof—represents a failure by the federal government. If so, doesn’t that mean that the federal government owns Internet security? I mean, you can’t fail at something unless it’s yours.

Lazowska may be an adviser to President Bush, but he’s not happy with the administration’s performance. “This administration does not value science…as much as it should—as much as the future health of this nation requires,” he says.

And CIOs don’t get off easily either. “CIOs are partially responsible for the insecure state of today’s operating systems,” Lazowska says, “because they failed to see the handwriting on the wall and prioritize security.”

Is Lazowska’s a voice in the wilderness? Maybe not. As intellectual property—music, movies, pod casts and the rest—continues to migrate to the Internet souk, as VoIP matures and emerges, and as every other besuited executive uses his BlackBerry or Treo to chitchat with or text-message the home office, security increasingly becomes a big money issue for powerful commercial interests. And when big money talks, the government tends to listen. After all, who are the powers-that-be going to trust with their money’s safety?

Aunt Mary?

I don’t think so.