When the National Cyber Security Summit (NCSS) Corporate Governance task force released its much anticipated reporta few days ago, it focused on five recommendations. The recommendations were very good, and every enterprise with an IT department should implement them immediately. These five recommendations would have all companies make information security an integral part of their corporate governance process.
The task force emphasized that its recommendations are necessary for both the integrity of corporations, and for the national homeland security efforts (NCSS works in partnership with the U.S. Department of Homeland Security). Significantly, the task force recommends making corporate CEOs responsible for security and making security something that auditors would consider in their annual reports.
The recommendations also say companies should have annual security audits, and that they should publicize their adherence to the task force guidelines on their Web sites. In addition, the recommendations ask a number of business organizations, including the Business Software Alliance and the U.S. Chamber of Commerce, to strongly urge their members to comply.
However, the task force recommendations also say that the guidelines should be voluntary -- sort of the way financial audit standards were in the years before Enron. Ultimately, this means that large segments of the business community will ignore them.
The question is, why should it be that way?
In these days of close scrutiny, CEOs are required to certify their companies’ financial conditions each year. Why shouldn’t they also be required to certify that their companies meet security standards? And shouldn’t auditors be required to note the information security condition of companies when they make their reports? After all, as the task force report says, IT is integral to the financial operations of nearly every company. How can such a significant area of corporate operations be ignored when considering the overall condition of a company?
This is not to suggest that the task force report is bad, because it’s not. For example, it urges corporate managers to stop assuming that information security is strictly a technical issue and to treat it like the governance issue it is. And it says that these same managers should let everyone know that they’re treating it this way. Both of these recommendations are badly needed in most corporations, and if they’re followed, we would see security operations treated and funded like the critical functions they are.
Unfortunately, there are too many shortsighted managers; too many CFOs that would trim security until it ceased to exist if they thought they could get away with it; and too many CEOs that let the IT and security staffs languish. There’s no direct connection to profits, they figure, so why spend the money? And until something happens to change their minds, that’s where it will stay.
Just as new laws finally mandated financial accountability, so they should mandate accountability for security. Unfortunately, the task force failed to take that final step.