The hack stops here. So says a group of influential chief executives who want to elevate computer security to a board-level concern. The 150 members of the Business Roundtable released a report last month in which they said that computer security is a “shared responsibility” involving everyone from end users to vendors to the federal government. But at the same time, they put the onus on the private sector — and in particular on senior executives and boards of directors — in large part because the business community ultimately owns and operates most of the country’s information infrastructure.
The release of the report capped a seven-day stretch in which: Cisco launched an investigation into how some of its critical source code appeared on the Internet; German police prepared to charge an 18-year-old with launching the Sasser virus; the “Wallon” virus, which disables Microsoft’s Media Player, was discovered; a security researcher revealed that two flaws in Apple’s Mac OS system could allow a hacker to install and run a malicious program; and leading security vendor Symantec released patches to plug security flaws in its own antivirus and firewall-protection software.
Add to that the appearance of new variants of the Sasser virus, an increase in “phishing” (a form of identity theft) attacks, and sundry other headaches, and you can see why computer security must now be a key component of all companies’ risk-management strategies. CFOs are likely to play a very important role, for three reasons: they are the point persons for all matters involving risk-management; because of their increased involvement in IT, they provide a valuable bridge between technologists and the corner office/boardroom; and anything that’s a priority for the CEO is, ipso facto, a CFO imperative as well.
The Roundtable didn’t simply offer a statement of support for the idea of tighter computer security, it developed a seven-point framework that emphasizes the CEO’s role, the need for boards of directors to review policies and assess vulnerabilities, the need for suppliers and end users to hold up their respective ends of the bargain, the role the federal government should play, and the role it should not play (a topic that accounts for three of the seven points!).
The Roundtable’s focus is on cyberattacks, which it defines as worms, viruses, hacking, identity theft, fraud, extortion, and espionage. Collectively those threats are thought to have cost companies nearly $1 billion in losses last year. Your IT department will happily add to that list of potential susceptibilities such things as privacy violations, corrupted data, natural disasters, and a host of other risks.
CFOs have heard much (if not all) of this before, of course. But when hearing it from on high, “I’ll look into that” may not be a suitable response.