In the din of all the hue and hacks, the Hyundai breach did not get as much attention as others, but the lessons this company's CEO drew from the experience are quite refreshing. This made me jump up out of my chair and applaud (virtually) - I would suggest forwarding this to any execs you interact with
His biggest mistake, he says, was that he used to treat the information-technology department as simply one of many units that helped the company get its main job done. Today he treats it as central to everything the company does. Since the attack, Mr. Chung has spent weeks learning the ins and outs of network architecture, security infrastructure and the tradeoffs between data protection and customer satisfaction.
"If you lock the restroom and garage because you are trying to protect the jewelry in the bedroom, sooner or later, the rest of the family complains and finds a way around it," Mr. Chung says. "Like everything, IT security needs a philosophy, and only the CEO can make that kind of a decision."
How many CEOs will read this article? Probably a lot. Its in the WSJ after all, but I hope they read that part and pay attention. These are incredibly valuable lessons, I blogged in April about the power of looking backwards from the future and imagining what you would have done differently. Well guess what? You don't have to imagine, Ted Chung, Hyundai Captital's CEO just expressed the central concepts.
First off, and this applies well beyond security, don't think of IT as separate, technology is implicit in basically everything today - development, design, operations - its not a server room off in the corner, its Core business. The separation of "business" and "IT" harms both parties
if you were starting a business from scratch today, you would never think of computing as something other than the business, you would know out of the gate that computing isimplicit to everything the business does. The separation of Business and IT is an historical accident and its well past its sell by date. What matters today is who is doing
- Product or Service Development - identifying requirements, doing design, strategy, listening to customer needs, figuring out how to go to market, doing detailed design and coding
- Deployment - promoting the system into production, managing change and environments
- Operations - running the system, monitoring usage, reporting
The point is that it matters not whether these tasks are done by "business" or "IT" and the separation of these two, far from helping, is actually harmful. It sets up false decisions points.
A much better strategy is to combine "Business" and "IT" into these teams, use same bonus and incentives plans to show you are serious. You would be surprised how effectively these two different cultures can work together when incentivized to do so.
The existing separation at most business is harmful to IT in general and but security is just one casualty of this. The second point that Ted Chung raises is very important to security in particular - "only the CEO can make this kind of decision" - very, very crucial thing to understand. The reason PCI DSS and other compliance-related changes move so quickly is not that they are always ground breaking or even important security architectural improvement, its that they have executive support.
Its exhausting to fight security architecture battles from the middle of an organization, to have to justify every control or detection mechanism. Its worse because of the project by project mentality most companies have and security is often a very expensive (or at least a lot of work) proposition in context of one single project. Again this artificial business and IT separation is harmful, if its a "project" the business wants, any security is going to look like adding time and cost to these features.
If instead the "business" INCLUDING IT are working together on a platform that runs the "business" then security will be seen more vital. But in any case the executive support is still required, commercial software requires a lot of elbow grease to be even relatively secure and these high level philosophies of putting in the extra work necessary is a must.
Comments