Thursday, April 7, 2011

Executive Level Apathy For Security...Maybe Not So Much

I read an article in Information Week this morning titled "76% Of Energy Utilities Breached In Past Year", and while I found most of it rather sensationalistic and perhaps a bit boorish (I mean, c'mon, 76% of all businesses AND government agencies have probably been breached in the past least according to the boundaries defined in this article), one part stood out:

"71% of people surveyed said that "the management team in their organization does not understand or appreciate the value of IT security."...Executive-level apathy or misunderstanding over information security is surprising..."

I have been thinking about this notion of "Executive Level Apathy" for a while now, and I have come to the conclusion that executives are doing exactly what anyone would do if put in their positions and under the circumstances.  Hear me out for a moment before throwing daggers.

One of the primary (if not THE primary) responsibilities of a CEO of an investor owned utility is to make sure the investors get what they paid for.  This can include anyone that invests in mutual funds and ETFs that include utility stocks as part of their portfolios.  When those stock prices (and dividends) go up, everyone is happy.  When they drop, everyone gets grouchy.  Anyone who invests knows the scene quite well.

There are a lot of factors that cause stock values to fluctuate, but suffice it to say that the more money a company spends on things that do not generate a return on investment, the lower the bottom line becomes.  In some cases utilities have to deal with MASSIVE expenditures fixing problems that, while they are fully responsible for them, generate no ROI (e.g. explosions, environmental messes).  I am talking about very real issues that are vivid in nature, and absolutely have to make it to the top of the list of "things we gotta take care of like yesterday".

So lets circle back around to security.  In the article the author points out that the average cost of fixing one of these breaches at an energy utility was $156,000.  If we take a look at my local utility (PG&E) revenues for 2010, a quick search on the Internet reveals that they took in $13.8 billion dollars.  That comes out to 0.00113%.  So, let's assume that PG&E maybe gets hit a bit more than the "average" reported by writer of this article.  Lets assume they get hit 100 times more, for a grand total of $15,600,000.  That brings us to a "whopping" 0.113%.

Okay, I am not saying they should not be concerned with security, but when one considers the costs of doing business and managing budgets on a great scale, it is easy to see that a $156,000 (or even $15,600,000) problem can work it's way down the list of "things I gotta deal with right away as the CEO".

Don't misunderstand me, I dislike filthy rich CEOs like any other red-blooded American worrying about paying his mortgage in our tough economy (although I am perhaps more jealous than anything else), but my very inquisitive nature forces me to peel back the layers of the onion enough to at least try to get some perspective on this, and the truth is that a 0.00113% to 0.113% problem is not something to get worked up about.  We, as a society, have created a specific role for such top level executives which FORCES them to focus on what really matters, and today that is measured in the short term (1 budget quarter at a time).

It is, however, VITALLY important to pay attention to security (and CEOs know this) because there is a potential for a MASSIVE loss in revenues given the right circumstances, but how is anyone to know what the right amount of money is to spend on managing the issue?  If a company spends $1 million, $5 million, or $20 million to protect themselves against such breaches (and potentially larger ones), how do we determine if it is enough?  As stockholders we end up paying for it, and that does not usually make us happy.  As customers we also pay for it, because utilities are guaranteed recovery (from us) for such expenditures.

So how much are we all willing to pay for security?

We, as a society, generally get what we demand...eventually.  While it may sometimes seem like executive apathy abounds, the truth is that WE are just as apathetic (hopefully not me, but as a society in general) about security.  Consumers are simply not demanding security...and what would they demand anyway?  With SUBSTANTIALLY less than 1% loss to cybersecurity breaches today in the utility space, what kind of empirical information is likely to motivate a consumer?

Utilities can always do more, and executives can always be more concerned, but exactly how much more should they do, and how much more should they be concerned?  Frankly, until something really bad happens, I am not sure anyone will be able to answer that question.

Sorry if this seems like a downer to the security minded (and believe me, I am one of them), but I can't really demonize the guys in the high towers on this one.  I would like to see them speak publicly about cybersecurity issues, and that is something they could do as a form of outreach to the community, but in terms of being more pro-active, I certainly don't see how I would (or could) do anything different.

Just my opinion.  Take it for what it's worth.


Mark Schaeffer said...

Great points. Bottom line is the nature of the stock market is the primary driver of corporate behavior. Mutual Funds (and funds in general) create focus on short term results, and more importantly, lack of responsibility on the part of the owners of the company to hold the companies accountable for their behavior (i.e. because the owners are mostly not aware of the companies they own). Until this changes, nothing will change (and of course this won't change).

bryansowen said...

So far breaches really haven't had lasting impact in the stock market.
Reputation is different. C-suite execs 'on watch' during a breach could earn a stigma should corporate practices be exposed as sub-standard. Even worse if the executive is directly implicated through spear phishing or other social engineering.

IMHO the problem today is quite far from apathy. In light of all the ineffective spending on security, I'm not sure budget is the real issue either.

GraniteKey said...

Bryan, the issue is that (at least in AMI) we have no standard to point to, so it would take quite a bit of doing for someone to expose an AMI security choice as sub-standard.

As far as budget is concerned, what is an appropriate budget? How do we define that?

bryansowen said...

@Mike Fair enough, AMI poses new security challenges and what might have been considered good practice at the time could well be seen as deficient down the road. I still wouldn’t call this C suite apathy.

The apathy indictment cited in the survey is indeed bothersome. We don’t hear calls of apathy with respect to the RSA breach and that appeared to start with simple Phishing. I’m sure someone will claim RSA’s security budget must have been inadequate.

Mike Ahmadi said...

@Bryan, I am sure someone would try to fault RSA on their security budget, despite the fact that RSA SecurID has had a 26 year run with no significant compromise prior to the latest.