Why only security on the agenda after bought thousands of chickens

December 19, 2016

Security often gets in the boardroom not get the attention it deserves. And while still regularly read in the papers about cybercrime. Today I describe three reasons why C-level decision makers security not on the agenda.

As a specialist in the field of Identity and Access Management I often hear of specific vulnerabilities, such as Red Rooster in Australia. When the company took a purchaser resigned after a heated debate. The man was so upset that he decided his boss agreed to provide a substantial financial setback. To achieve this he bought that same evening in the name of the company through the online ordering thousands of chickens at different poultry farmers in the country. An observant vendor detected the bizarre order and therefore the action was further thwarted in time. But Red Rooster himself had had nothing in mind. They were terrified by the incident and realized that they had given their buyers very much power. Controllers were missing and thus a project was launched to look at who now had what powers. And the access management was finally examined.

I see this so often: the leadership of the company becomes aware of the necessity of an I & AM project when it is actually too late. There should always be an incident and only then there is a security project. And while top management is usually sympathetic to hedge risks in the field of ICT. Three main reasons why I & AM often penetrates into the boardroom.

  • There is no charge for the theme: In the UK there was a few years ago an incident involving the personal information of 25 million Britons were lying on the street. Research was done and eventually was given by the Minister to a poor junior final responsibility. It could not be that he is in fact responsible for all that information. Someone of a higher level here has made the mistake of a boy giving such powers. This example illustrates a trend within companies there is often no single person responsible for IT security but the tasks are fragmented among different people and departments. It gets worse because none of these people has the mandate to schedule this theme at C-level.
  • Misperceptions of risks: The C-level decision makers are often older, about fifty years, and are therefore less familiar with ICT. This can result in a false sense of security. A shocking comment I got was recently a board member who said that there was never reported a data breach. The fact that the possible data leaks that are not reported is indicative of the lack of attention within this organization for data security. But even if there is indeed aware that something must be done I & AM thinking C-level players usually on the wrong risks. They believe for example, that danger comes from hackers and other intruders while most data breaches are the result of actions by its employees.
  • Knowledge of solutions is often anecdotal: The board often has little knowledge of available security resources. What they know is based on their personal experiences, such as an antivirus software or a firewall. But even if there research is done, we notice that it often comes to anecdotal information. For example, they have taken note of a mobile device management solution, but let the WiFi network outside shot. The only correct approach is to include all aspects of the physical infrastructure to the directory entry.