Digital security is a technical field, but for organizations that build software applications and offer online services, security is also a psychological and managerial issue. A company can hire for technical expertise, but if its executives don’t set the right tone, measure the right outcomes, and implement the right incentives, no amount of security expertise will produce secure applications.
When it was revealed that staff at a major American bank had created accounts for customers without their knowledge, all eyes turned to the bank’s executives. Were they responsible? While it’s not entirely clear how much executives know about what was happening, it is clear that they set sales incentives that motivated employees to cut corners and act against the best interests of customers.
They rewarded high-flyers, punished the less productive, and didn’t ask questions about how employees generated results. It’s a commonplace that if you set a target and choose a metric to assess attainment of that target, people focus on the metric and forget all about what motivated it in the first place.
The goal was genuine accounts opened by real customers. But executives failed to build an incentive structure and culture that valued those results. It was all about the numbers, and employees delivered those numbers to catastrophic effect for the bank’s reputation.
The same pattern obtains where security is concerned. Executives talk big about security, but set productivity incentives that value other outcomes. That might be sales, lines of code, new features added, new sources of revenue, decreased costs, increased conversion rates, or other targets that impact the bottom line.
In a culture that privileges these outcomes above all others and implements rewards tied to those outcomes, security gets short shrift.
This effect manifests itself in many different ways, from large-scale application design decisions to the smallest coding choice. A rational actor pursues the goals that bring rewards, even if they know better from a technical perspective.
By setting targets and creating incentives, executives shape the culture for managers and employees. It’s their responsibility to create a culture in which security is considered a priority. If they don’t, it should come as no surprise when the company’s sites contain malware, its products are easily hacked, and its servers are dragooned into botnets.
When people say “security is now in the boardroom,” they often mean that bad security decisions have such a large impact that they’re felt in the boardroom. What it should mean is that executives are taking their responsibilities for creating secure products seriously. That means more than just hiring security experts: executives have to create cultures and incentives that make digital security a priority.
Have you read?
Written by Karl Zimmerman, founder and CEO of Steadfast.