A quick check to Lenovo’s management page reveals the company has no top security executive. Consider this a subtle warning sign. Security at Lenovo is one of the many responsibilities assigned to Chief Information Officer (CIO), Xiaoyan WANG. We can learn much about a company’s emphasis on security by reviewing it’s leadership structure on it’s web site or financial reports. If you review Lenovo’s management page one of the things you will notice is, 1) security is not the primary roles but instead one of many CIO responsibilities, 2) other responsibilities of the CIO present a direct conflict of interest to security.
First, let’s look at security as a primary responsibility. Security is like other areas of an organization, the more resources you invest the better results you can expect. I don’t mean to imply blindly pumping cash into your security program is helpful but understanding how to apply resources to the problem is where partnership between business and security executives is important. A poor security leader or no leader at all is the surest way to kill a security effort before it even begins. To be clear, no company says do a bad job on security. The problem is without proper security leadership and resource allocation – a good job is next to impossible. Company’s with the best chance of success in their security programs place security on at least equal footing with other top business priorities. In a security conscious company I expect to see at least one top security executive like Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Ideally, I want to see others like a Chief Privacy Officer (CPO) as well. This tells me this company really understands the impact of digital age on our products and services. Of course, Lenovo may have a CSO that reports to the CIO, or to a leader that reports to the CIO, and many companies do, but in the the end this is a conflict of interest because CIOs are focused on delivery. Ultimately, product delivery may trump security but without an independent advocate to argue on the side of product quality productivity will win every time and this may not be best the organization.
Next, the conflict of interest issue. It may not be obvious but WANG’s many responsibilities include, “information service delivery and security”. For years, IT organizations and software developers are accustomed to the idea of a Test group that performs independent quality assessments of products and services before customer delivery. Independent assessment is an essential quality control measure for producing consistent high quality products and services. All too often security lump into the same bucket as other technical product quality review. I believe this is a mistake. Placing application security responsibility into the same group responsible for product delivery is like placing the fox in charge of the hen house. Security product quality is a business concern not a concern for a technology group. Few CEO’s were ever fired over a software bug but many more CEO’s will be fired in the future over software vulnerabilities. Additionally, vulnerabilities are unique among bugs since they can shake the very foundations of your organizations credibility with customers which may take years to reestablish. In today’s highly optimized world of software development, leaders often don’t have the necessary resources to deliver products on time and schedule. In such a climate, it’s too tempting to focus limited resources on tangible features customers to can see. However, with security it’s far to easy to make bold claims of a strong security posture. Without specialized tools and testing security posture claims must be accepted at face value. I see security differently, security is a top business concern not a technology concern. As a top business concern, security must answer through it’s own leadership which ideally terminates at the security executive that answers with accountability to the board. This will allow security to be considered on equal footing with other business priorities and risks.
A final note on security responsibility for C-level readers. The days of blaming breaches on the ingenuity of hackers is coming to an end. Overesteeming hacker abilities to infiltrate systems is a convenient way of shifting public scrutiny away from poor leadership and security practices back to attackers. Increasingly the broader public and regulatory agencies are becoming less accepting of such excuses. If you don’t make security a top priority in your board room, with all due proper funding, with security leaders leveled like other leaders – you will be accountable on breach day. Leaders of America’s largest corporations are learning painful lessons security responsibility can be delegated but blame cannot see, Target CEO Fired – Can You Be Fired If Your Company Is Hacked?
For those interested in a previous post, So You Want to be a Security Professional, I cover some background on security positions and ways to organize security duties. For full background on the Lenovo’s incident, I refer readers to Bruce Schneier’s article, Man-in-the-Middle Attacks on Lenovo Computers.
 Superfish cover by Anelis, DeviantArt