Most individual managers are driven by a combination of the desire to experience pleasure and a determination to avoid pain. In the corporate world, pleasure usually materialises as salary increases, bonuses and stock options, while pain is expressed by demotion, public humiliation and possible jail time.
In the experience of most technologists, senior managers and board members have the attention spans of gnats; unless an issue is directly related to improving either the top line (revenue) or the bottom line (profit before tax, or EBITDA,4 or whatever particular number is your company’s obsession), they pay it only the briefest of attention.
All information security proposals, therefore, should, if possible, be couched in terms of how they will either improve revenues (or EBITDA or whatever) or how they will protect revenue (or EBITDA, etc). You can’t overtly make the link between a left-to-right, steadily rising graph of corporate earnings and executive compensation, as this is taken as read by most executives.
The reality is that, apart from those information security projects that clearly improve availability of information, few information security projects will contribute directly to rising revenue. Most such proposals are far more likely to remove risks to current and future earnings, or to protect the downside of corporate activity. For instance, it is quite easy to see that tight security around all aspects of a new, breakthrough product will, in the months before launch, ensure that a competitor isn’t able to steal a march on you. It is less obvious, but still relatively easy to see that compliance with PCI DSS will ensure that, for an e-commerce business, most of the financial costs that would come from a successful theft from an unprotected network of large quantities of payment card data, are removed.
The financial implications of a breach of the UK’s Data Protection Act, though, are far harder to quantify, not least because there is no legal obligation on a private sector organisation to even report any breaches.5 Covering up a breach – details about which emerge later – will, however, be dealt with much more fiercely by the Information Commissioner than if they had been reported in the first place. While there may be financial penalties, the size of these penalties may still seem, to some larger organisations, derisory.
If, however, there is a demonstrable link between financial costs and the bottom line, corporate executives are still likely to pay attention. Where bonuses are dependent on achieving specific financial results, it may be possible to present breach costs as avoidable, at a reasonable price. A ‘reasonable price’ should usually be demonstrable as something considerably lower than the potential financial impact if the breach were actually to occur.
While loss of personal earnings, or reduction in personal bonus, are outcomes that most corporate executives will take determined steps to avoid, self-interest as a motivating factor is even stronger where there is the possibility of a significant negative impact on a career. A significant security failure – such as the leak of sensitive financial information ahead of a takeover bid – can lead to formal external investigation and to dismissal. In extreme circumstances, directors, chief executives and chairpersons have been forced to resign as a direct consequence of the organisation’s failure to implement appropriate information security measures.
No director wants to find themselves contemplating the possible end of a career. If jail sentences became commonplace for the consequences of failures to implement effective information security measures, senior managers would pay significantly more attention to the issue than they do now.
4 Earnings before interest, tax, depreciation and amortisation.
5 Although this seems set to change with the introduction of the EU’s General Data Protection Regulation, which will mandate reporting of data breaches and impose significant fines for failures to comply.