Although information security has traditionally been the responsibility of information technology departments, some companies have made it a business issue as well as a technological one. This year we studied security best practices at Fortune 500 companies, particularly 30 that had recently appointed a senior business executive to oversee information security. (According to an April 2001 estimate by Gartner, half of the Global 2000 are likely to create similar positions by 2004.) A handful of these Fortune 500 companies are now adding strategic, operational and organizational safeguards to the technological measures they employ to protect corporate information.
But most companies continue to view information security as a technological problem calling for technological solutions--even though technology managers concede that today's networks cannot be made impenetrable and that new security technologies have a short life span as hackers quickly devise ways around them.
Delegating security to technologists also ignores fundamental questions that only business managers can answer. Not all of a company's varied information assets have equal value, for instance; some require more attention than others. One online retailer, Egghead.com, lost 25 percent of its stock market value in December 2000, when hackers struck its customer information systems and gained access to 3.7 million credit card numbers. Egghead, of course, had security systems in place and claimed that no data were actually stolen, but it lacked the kind of coordinated organizational response necessary to convince customers and shareholders that their sensitive data were actually secure.
Concerns about negative publicity mean that almost two-thirds of all incidents actually go unreported.
Besides having a broader perspective on information security than IT managers do, CSOs at best-practice companies have the clout to make operational changes; the CSO at the personal-banking unit of a large European bank, for example, has the authority to halt the launch of a new product, branch or system if it is thought to pose a security threat to the organization.
Only the CEO can overrule the CSO--and rarely does. In the typical company, by contrast, a security manager in the IT unit has responsibility for security but little power to effect broader change in the system. In addition, CSOs at best-practice companies conduct rigorous security audits, ensure that employees have been properly trained in appropriate security measures, and define procedures for managing access to corporate information. When a decision is made to lay off or dismiss an employee, for instance, it is simultaneously entered into the human resources system, thereby restricting that person's access to the company's premises, to e-mail, and to documents.
Most business leaders pay as little attention to the issue of information security as they once did to technology.
Today, most business leaders pay as little attention to the issue of information security as they once did to technology. But just as technology now stands higher on the CEO's agenda and gets a lot of attention in annual corporate strategic-planning reviews, so too will information security increasingly demand the attention of the top team. In a networked world, when hackers steal proprietary information and damage data, the companies at risk can no longer afford to dismiss such people as merely pesky trespassers who can be kept at bay by technological means alone.
For more insight, go to the McKinsey Quarterly Web site.
Copyright © 1992-2002 McKinsey & Company, Inc.