This two year old article is still so true. Worth revisiting in a more risk management conscious corporate environment.
Keeping Your Business Clean - CSO Magazine - June 2004
Take this quiz to test the ethical health and well-being of your business.
A COLLEGE PAL OF MINE—a corporate lawyer at a major, publicly traded company—has been watching all of the corporate-integrity meltdowns from his not-so-distant vantage point. Just for fun, he helped me devise a quiz of sorts to check out the "uprightness" of my own situation at my company. I was shocked and disturbed enough with my results to share them here (under the protection of anonymity, of course).
Maybe I'm a good Samaritan, but I care about America's corporations, and I hope our times offer an opportunity to change some thinking. Take this little corporate hygiene quiz with a few of your trusted business pals over a latte or two. And since catharsis is good for the soul, I'll share my answers with you here. I used a scale of one (not so much) to five (absolutely) to get a numerical sense of where I stood.
To start, does your business depend on a complex technical environment with significant uptime reliability?
Aren't we all increasingly reliant on a networked environment with nodes, access points and critical intersections in places that we can't see or control? Uptime reliability is important for everybody these days, but it's an expected cornerstone of businesses that feel they need to hire a CISO. I give myself a four on this one.
Does your company have operations in any country below the equator?
Many U.S. companies have core business processes located in countries below the earth's beltline. Security risks exist there that make knowledgeable security professionals twitch every time their phone rings: kidnappings, corruption, incompetent and criminal law enforcement, Internet crime, organized crime, drugs, money laundering, an overall unsafe environment with too many Foreign Corrupt Practices Act temptations. But what are you going to do? The labor is cheap and we have to be competitive. My company is moving in that direction but not there whole hog yet. So I'll give us a three on this one.
Would you characterize the velocity of your company's business as high-speed?
How about warp speed? How else can we continue to satisfy Wall Street and our fickle shareholders? We're all being pushed to do more with less. And there's so much going on in the back draft of this fast pace, I wonder what the hell else I'm missing. I'll take a five on this one. I'd take a six if it were allowed.
Do you forgo a criticality rating to identify shortcomings in business controls and security measures?
With all the open books and disclosure emphasis these days, the lawyers are really nervous about recording any risk information that could come back to haunt us. As a security professional, I've always lived with criticality ratings—it's all about the likelihood of problems we need to be prepared to address. But I know for a fact that we have no organized process for doing this across the business. In the aftermath of Sarbanes-Oxley, our auditors now rank their findings; but that's ex post facto and, besides, an audit is cyclical and periodic. This is all about what keeps knowledgeable risk managers awake at night and what we are missing. I'd better take a four (and hope for the best).
Does your corporate risk-management model discourage individual managers from seeking out vulnerabilities in the system of controls?
My company doesn't have a risk-management model, per se—and then blame is typically parceled out to the lowest common denominator. I'll take a four on this one, too. (This isn't shaping up well is it?)
Are managers ill-informed about what to look for on control deficiencies or cues on risky behavior?
There's not a lot of sharing here, especially concerning errors or incidents. After all, who wants to shoot themselves in the foot? We have an active infosecurity awareness program, but it hasn't been integrated into any of the training and employee development programs we run on a continuous basis. HR owns management training, but it doesn't recognize that the manager's job has a core risk-management component. And what's the first question out of the CEO's mouth when it hits the fan? "Who's the manager of this disaster?" I can't vouch for manager awareness across the board. So let's score a three here.
Are there unaddressed vulnerabilities in your company's safeguards or other such exposures that could be exploited?
The fact that this question has to be included speaks volumes about the maturity of risk management. Of course there are known gaps! And it's the people who work here who know where to find the holes. The guy who is empowered to do you the most damage already works for you. The developers leave open doors in our applications, and our LAN administrators have the keys to the kingdom. There's no one place where all the data comes together to enable those of us on the firing line to see where the interconnections and interdependencies may exist. Besides, I get paid to think about "what if," so scoring anything less than a five would be dishonest.