About ten years ago, I listened to John Thompson, then the CEO of Symantec and now Chairman of the Board for Microsoft, deliver his keynote at the RSA Conference in San Francisco. While I don’t remember many details of his talk, one quote stood out. In making a comparison to cybersecurity, he said, “You don’t buy brakes to stop. You buy brakes to go fast.” After all, if you drove your car at a few miles an hour, the Fred Flintstone method would work just fine for stopping. Thompson’s message for cybersecurity was that it should be considered an enabler for business. By introducing cybersecurity measures, the organization could feel more comfortable taking on new initiatives that would grow revenue and reduce costs, such as electronic banking, cloud computing, and just-in-time supply chains.
However, one can imagine a potential downside in what economists call moral hazard. If people believe they are invincible, they tend to take more risks. While taking risks is not necessarily a bad idea, it doesn’t take an economist to know that people tend to get carried away. For example, many in the financial services industry believed that mortgages vetted by government sponsored enterprises were fundamentally secure making it perfectly understandable to create a derivative market based on those securitized mortgages. It was like printing money. Only it wasn’t. And we all know the result. But what was significant about the financial crisis that resulted was not that it was caused by a boom and bust cycle. We’ve seen many of those, and we’ll continue to in the future. The real tragedy that made things worse than the normal irrational exuberance we’ve seen in the past was that much of the harm was caused by the assurances given by people in authority who were trusted to operate in a much more sober mindset, to not be sucked into the wild speculation that typically engulfs traders, hedge funds, and others looking for a quick buck. These regulators, risk officers, and auditors were looked upon to be those brakes when the market starts moving too fast, to be the adults in the room.
It turns out that not only did those authorities fail to serve as a moderating influence, but their very existence may have caused market participants to take on greater risk under the assumption that they would be held back from taking on too much risk. According to a recent Harvard Business Review article, banks responded to increased regulations in the early 2000s by hiring Chief Risk Officers (CRO). They were meant to assure regulators that the banks were serious about compliance and financial risk management.
While it appears that hiring CROs was viewed positively by regulators, those involved in the new derivatives market, also had a positive view for other reasons. “After examining the derivatives activity of the 157 largest U.S. banks from 1995 to 2010, we found that banks with a CRO were substantially more likely to get in over their heads with the riskiest kinds of financial derivatives — over-the-counter options, swaps, or credit derivatives. Banks with a CRO were much more reliant on these newer, riskier derivatives — but not on older, more vanilla derivatives, like futures and forwards, which have traded in American financial markets for centuries.” Apparently the trading desk felt they were able to take more risks by virtue of having someone in place purportedly to check abuses. “In creating a new, high-level position to oversee risk management (signaling that the bank was “risk aware”), executives may have encouraged the managers of other bank departments to become less cautious in policing their own risky behavior.”
The article goes on to note that many CROs had perverse incentives that encouraged them to maximize shareholder value for the firm rather than minimize risks that further exacerbated the consequences of the financial crisis. However, even if we believe that CROs diligently sought to minimize risks in these new markets, they clearly couldn’t watch everything that went on even if their role gave the appearance that they were. That’s where we may find ourselves with cybersecurity. Companies have appointed more CISOs and elevated to greater levels of influence within their organizations. Some just have oversight with operational roles spread across the IT organization while others have large teams responsible for operations, engineering, audit, policy, training, and everything in between. Has their presence reduced overall risk? I think it’s safe to say that in many case that it has.
However, comparing the CISO role with that of a CRO at a bank is a bit tricky. Bank CROs are focused squarely on the many of the key revenue generating parts of a firm with a clear tradeoff between risk and reward. In cybersecurity, there is often a tradeoff between higher risks and higher costs, but it’s not at the same scale we see at a bank. Senior executives of a company are not likely to see their bonuses impacted much by more spending in cybersecurity. But the CIO might. And we really don’t have that many anecdotes about CISOs slowing down or stopping major corporate initiatives due to cybersecurity concerns. In fact, surveys about cloud computing consistently showed that cybersecurity was the top concern raised by IT executives, but there is little evidence that those cybersecurity concerns had a significant impact on the rate companies moved to the cloud, particularly for Software as a Service applications. And this still involved a largely IT matter for most companies.
The simple reality is that despite all the talk of elevating the CISO or similar role to a broader corporate risk function outside of IT, most CISOs spend their time dealing with very parochial concerns in the IT department like patching, malware protection, or perimeter security. Very rarely does a CISO get to tell a business line manager why some new marketing campaign or product rollout constitutes an unacceptable risk for the company. And it’s not like the CISO’s role could never comprehend how a cybersecurity risk could be implicated in a business line initiative. Most companies are heavy users of sensitive information to drive all kinds of activities within a company whether that information constitutes intellectual property, personally identifiable information, or market insights.
The decisions of great import to a CISO are not just what firewall to use or what access control lists to impose. They are also decisions of what information to collect or generate in the first place. Any lawyer will tell you that the best way to prevent information being used against you in court is to not create or collect that information in the first place. The same is true when it comes to information being compromised by hackers or leakers. That’s a lesson Equifax may now be learning. But it’s not clear that a CISO or even privacy officers weigh in unless there is a conflict with some law or regulation.
For many CISOs, their time spent in those positions is short not because they are knowingly consenting to an unacceptable risk posture. Nor is their mere existence causing business lines to behave in a riskier fashion. Instead, CISOs don’t even have a seat at the table when major business initiatives and their pros and cons are being discussed. That may be understandable for many industries who see cybersecurity, and IT more generally, to simply being one of the many operational risks that an organization faces. It is true in fact that cybersecurity risk is usually small when compared with the many other risks that an organization faces. However, there will come a day, if it hasn’t already, when that’s not the case. When that day comes, will there be a CISO, or some other CRO who represents the CISO’s concerns, present among the company’s senior leadership to challenge the initiative or at least raise possible risks to consider? As things stand today, the answer is usually no.