Managing reputation

For Chief Information Officers (CIOs), often already caught in a delicate balancing act between the business and the IT department, flawed security can cost dearly. A major security incident reported across the world’s media can put a black mark against their name capable of overshadowing an entire career. So what should CIOs be doing to guard against the personal and professional risks they face in the internet age? In the ongoing chess game against malware and hackers, what strategies should they adopt to ensure they are not personally caught in checkmate?

New forms of computer threats are emerging at a faster pace than ever before and businesses have woken up to the significance of information and operational integrity. It has stirred attention at the highest level among worldwide regulators, industry bodies and heads of global corporations. There can be little doubt that security continues to be a major commercial, as well as a technical, concern. Security companies log thousands of new threats, including viruses and worms, every year. Trojan horses – those pieces of code that can spy on users, steal information and gain unauthorised access to systems – appear at an ever more alarming rate. In the UK, the Department for Trade and Industry reports that the number of computer threat incidents is rising and now affects the vast majority of businesses, at a cost of UK£12,000 (€17,000/US$22,000) on average per incident.

In the United States, the integrity of information is integral to data protection policies and national security. The responsibility for secure computing has wide-ranging effects upon the behaviour of senior executives and is also a significant focus for industry bodies. The consequences of flawed IT systems have been seen on several occasions in courts of law and been subject to the judgement of investors.

Take a case brought by Coleman (Parent) Holdings against banking giant Morgan Stanley in 2005, for example. During the trial it emerged that Morgan Stanley was shown to have overwritten e-mails and been careless in its data storage. Unable to respond to the court’s requests for a clear view of its IT system and processes, Morgan Stanley was forced to pay out many millions of dollars in restitution.

Impacting corporate reputation

Mismanagement of IT security can have serious implications for an organisation’s reputation. Various studies have mapped the financial value of brands, and while they differ in absolute terms, these studies have all shown the relative risk of stolen customer information, or becoming unknowingly embroiled in illegal online activity, to be significant. The ‘punishment’, meted out by customers and clients on companies that are perceived as being less secure adds to this risk as it is disproportionate. Systems may only go down for a few hours, but if customers start to ask whether their details have been lost, or partners fear that commercial secrets could have been leaked, then relationships and contracts can collapse.

Earlier this year, it was reported that US-based CardSystems, a payment processing organisation, failed to secure customer and financial information. The result was millions of dollars in fraudulent purchases and banks being forced to cancel and re-issue thousands of credit cards. On top of this, consumers experienced inconvenience and financial uncertainty as reported by the Federal Trade Commission (FTC). The damage to CardSystems reputation was such that it was soon forced out of business as major customers, including Visa, refused to deal with it anymore.

Personal risk

All of this evidence points to the fact that there is a large danger to the reputational risk of the business. But what about the personal risk to CIOs themselves, the person seen to be accountable for IT integrity? It is undoubtedly true that there are CIOs who have been ‘moved on’ after major incidents and being associated with a significant security breach can have a severe impact on future career prospects.

In the Nordic region, the bonuses of some CIOs are directly linked to the integrity of the computer environment they manage; for example, as the corporate network becomes increasingly vulnerable to new threats, their pay packet may go down. If the status of CIO is a result of the rise of the IT director up the corporate ladder, then it is also the case that with this greater corporate responsibility comes greater career risks.

The CIO’s challenge

Taking another perspective, in some ways the publicity that IT security generates can be to the CIOs advantage. News of high profile computer threats can go some way to raise awareness at board level of IT security and may even govern larger, or incremental, IT security budgets. It often appears to be a general rule that whilst falling foul of a computer threat can be excusable, failing to properly secure against the vulnerability so that it doesn’t happen a second time is not.

Demonstrable responsibility is therefore key to minimising the damage to a CIO’s reputation, and can be the difference between keeping a job and losing it. As one anonymous CIO can testify to – when their corporate network faulted for days, it took weeks of investigations to prove that the problems could not have been foreseen and that reasonable security measures were proportionate to the potential threats. The CIO’s reputation therefore remained intact.

On the other hand, there are examples of senior IT managers who have asked management or the board for an IT investment, then have been told that they were asking too much, and have still lost their jobs when the company was hit.

Their fault was double layered: first, failing to demonstrate why the business needed the investment to start with, and second, failing to show that they had done everything they reasonably could after the crisis. Again, when defending actions and protecting your reputation, it is evidence that counts.

Business languag

The fundamental lesson to be learned is that IT security is as critical an issue today as it was when the internet was born, perhaps even more so. And the reality that most CIOs face is that when they speak of SQL Slammers or spyware to some managers and executives, they may as well be speaking the lost language of the Incas. Business executives will not only fail to understand but, quite rightly, they will ask what difference IT security makes to the bottom line. After all, this is the standard against which all other reports delivered to the board are measured. So, the evidence which shows that security excellence is being pursued must be presented in the language of business risk. The CIO must gain a reputation for being an effective translator of IT dangers and precautions.

What this means is demonstrating to the board how the risks to the businesses’ most critical systems and assets can be most cost effectively mitigated. After all, no business has the resources to provide 100 percent protection to all areas of their organisation. So, the critical assets need to be identified, the risks to these assets understood and then the processes put in place to prioritise resources to protect these assets and make the board aware that these assets are fully protected.

What’s more, regulatory compliance requirements must be obeyed. If not, members of the board may end up in jail. If the CIO can demonstrate to executives that their business is compliant, then he will go a long way in terms of maintaining his reputation and justifying IT expenditure.

Savvy CIO-ing

Attacks on IT systems are a fact. They are part and parcel of the risks that any modern organisation faces. However, like the risks that stem from operating in any market, they can be understood and acted upon. This is the message that savvy CIOs are conveying to their colleagues and board members. They build their reputation within the business, and protect it against unwelcome events, by exercising a portfolio of skills – understanding the nature and extent of the risks themselves, devising ways of communicating those risks to others, gathering demonstrable evidence that risks are being met, and managing the contingencies that are necessary as and when breaches occur.

The post of the modern CIO, an individual often on the board, is a measure of the importance and the success of IT in business. And with that success comes responsibilities. However, if the buck stops with the CIO – and it does – then there is no need to panic. Flawed security does cost, and may cost dearly. But although attacks will continue, with proven security protection in place there is less and less reason why those attacks should leave the reputation of the CIO vulnerable at all.