In 2003, the Slammer worm shut down ATMs, call centers, even 911 emergency dispatch centers. People died. “We would finally get the CEO’s and CFO’s attention,” we thought again, and we were wrong again.
In the next 10 years we witnessed a succession of worms, Trojans and viruses shut down and compromise Department of Defense networks, banks and nuclear facilities. We are constantly told that our critical infrastructure is at risk: terrorists can take control of our railroads, power systems and other critical infrastructure. The time has finally come for management (and the world) to listen to us!
We had seminars and Gartner symposiums with CIO’s around the world. We have written whitepapers. Cisco, Symantec, IBM and 3com spent billions building or buying technology to stop the attacks and secure networks.
And… It didn’t work. Nothing we did could stop the attacks. We made laws, fined people, and increased penalties for hackers. We held companies liable for leaking personal private data and made them pay millions in fines.
Then, we - and I speak here as a CISO with 20 years of experience – blamed the management.
Surely, it was the CEO’s fault for not understanding cross-site scripting, SQL injection, APTs and other risks associated with the Internet.
Maybe it was the CFO who didn’t understand that it’s impossible to calculate the ROI of securing the network. So we tried to come up with a strange formula called Return on Security Investment (ROSI), but the CFO saw through this and called our bluff.
We had CISO and CSO forums, councils, worldwide meetings, whitepapers, and endless PowerPoint presentations - all to come up with programs to educate the CEO and CFO. We came up with simple marketing slogans like “self-healing network”, “Security Transcends Technology” and “Security is a process not a product”. Whole companies were created to teach the CEO and CFO.
But ultimately, the CEOs and the CFOs weren’t the problem – we were: CISOs, CSOs, and VPs of Network Security didn’t understand business. We refused to see that ROI was – and has to be - the driving factor for the CEO and CFO.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.