Why CIOs Don’t Want to Discuss Security

When it comes to digital information security, CIOs seem to heed the advice of the World War II propaganda posters that read, “Loose Lips Sink Ships.” Although security is on every CIO’s mind these days, it’s certainly not on their lips.

We contacted more than two dozen CIOs to speak with them about security. While many declined our requests for an interview, several spoke with us only on the condition of anonymity. As the CIO of a financial services company explained, “Neither I nor any of my peers would want to go on record as saying we’re concerned about it and know we have flaws,” he says. “Nor would we want to say we’re not concerned about security, that we have everything in place and we are bulletproof. Either way, it would immediately set us up as a target and a challenge for hackers or attacks.” n Security is the one critical IT issue corporate America isn’t talking about for fear that anything that is said could be construed as an invitation to attack. Experts say this conspiracy of silence only aids those responsible for digital security breaches. n What’s the best course of action?

Acknowledge the problem, pay attention to security threats (both known and unknown), and if your company experiences a security breach, don’t treat it like a dirty little secret. Talking about it internally and sharing information externally with other IT executives and law enforcement authorities will help everyone better understand security threats and improve prevention efforts.

The fear of attack is real and valid. Every day there are new reports of security breaches. The list of companies that publicly suffered attacks last year is a literal A to Z of networked America?Amazon.com, America Online, AT&T, BellSouth, Bloomberg, the CIA, De Beers, E-Trade Securities, the FBI, Lucent Technologies, Microsoft, Qualcomm, The Republican National Committee, Slashdot, Sony Corp. of America, the University of Washington Medical Center, Verizon, Western Union and Yahoo.

These are just some of the publicly acknowledged attacks, say computer security professionals. In a recent survey by the Computer Security Institute, 90 percent of information security managers have detected breaches at their organizations. Despite this alarm, upper management?fearing bad publicity, shareholder wrath and consumer mistrust?has erected a firewall of silence around the double-headed beast of security and privacy. “Nobody wants to admit they’ve had some level of intrusion or break-in, but I can’t imagine that there’s anybody out there who hasn’t had an unauthorized access or attempt,” says the executive vice president of IT at a financial services corporation. Only a handful of the companies that have had breached security or compromised data ever report it to law enforcement officials, say the FBI and security consultants.

That is one possible explanation why only 26 percent of CIOs and IT executives said their company had ever been hacked, according to a survey at the CIO-100 conference last August. Sixty-two percent said their company has never been victimized by external computer crime, and 11 percent were unsure. Unsure is the key word. “These people are being hacked; they just don’t know it,” says the CIO of a research and engineering company.

Open and Shut Case

As corporate networks keep expanding, CIOs face a catch-22 situation. Opening their infrastructures to customers, suppliers, business partners and employees is a must. Yet doing so makes their companies more vulnerable to security breaches or attack. “On the one hand, we’re getting pulled to make it easier and easier [for everyone] to access key data from anywhere in the world,” says the CIO of a Fortune 1000 manufacturing company. “On the other hand, we’re worried about security. We’re building a paradox here. How do you do all that?”

CIOs’ jobs have been made even more difficult as most corporations trampled past security issues in the mad rush to mine e-commerce gold. In the CIO-100 survey, a mere 9 percent of the respondents reported security as the number-one technology-related issue on which their company was currently focused. More than half of businesses worldwide spend 5 percent or less of their IT budget securing their networks, according to a recent study by Datamonitor. More than 30 percent have yet to even implement adequate security.

Most of the CIOs we spoke to believe the security breaches they’ve experienced thus far?”fortunately,” they say with relief?are nuisances rather than dire threats to their companies. However, even mere security nuisances can do real damage to the bottom line.

Take the “I Love You” virus. This and similar viruses brought down systems worldwide and caused $6.7 billion in damages in the first five days, according to Computer Economics. Denial-of-service attacks that temporarily took down high-profile websites like Amazon.com, eBay and Yahoo in February 2000 cost $1.2 billion, according to The Yankee Group. More than 74 percent of companies have experienced financial losses because of cybercrime, according to the Computer Security Institute report. The price tag on e-security breaches alone? More than $17 billion worth of damage worldwide in 2000.

Software giant Microsoft was reportedly hacked for months before it discovered the breach. The costs to a company’s credibility and losses in consumer confidence are difficult to calculate but can be enormous.

What’s worse, experts and government officials warn that these incidents are “canary in a coal mine” signs that portend a huge security disaster. At the Microsoft SafeNet 2000: Policy and Practice in the Internet Age summit in Redmond, Wash., experts tossed around talk of “the big one”?a digital Pearl Harbor, a World Trade Center e-mail bomb or an Exxon Valdez data spill. The CIO of a Fortune 500 manufacturing company believes these apocalyptic predictions may come to pass. “I hate to say it, but I think they’re right,” he says. “Somebody’s going to break in somewhere and do something dramatic, and then people will wake up.”

Security Through Obscurity

Many CIOs espouse a similar, it-always-happens-to-the-other-guy kind of thinking when it comes to security disasters. “We’re off the radar screen,” says the Fortune 500 manufacturing company CIO. “Who cares what we do?except maybe for a competitor or someone who has a grudge against us?”

In today’s networked economy, security experts warn, CIOs can no longer afford to think that way. “The concept of ’security through obscurity,’ that ’There are so many companies out there, why would I be a target?’ was once almost plausible,” says John S. Tritak, director of the U.S. government’s Critical Infrastructure Assurance Office in Washington, D.C. “If your company depends on a brand, any customer interaction, back-office business functions or networking dependencies, a minimal level of security is a must in today’s economy.”

Security experts urge CIOs to tear down the firewall of silence that surrounds security. Corporate America needs to go public about its security secrets, they say, and share information to learn from others’ mistakes and create consistent protocols.

“We need to publicize attacks,” writes Bruce Schneier in Secrets & Lies: Digital Security in a Networked World (Wiley, John & Sons, 2000). “We need to publicly understand why systems fail. We need to share information about security breaches: causes, vulnerabilities, effects, methodologies. Secrecy only aids the attackers.”