Guest Blogger Barry Schrager.

I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance.  Here are the results: 

Background No. of Board Members No. of Companies
Finance 1,583 473
Legal 391 225
Accounting 201 165
Compliance 9 9

Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril 

Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management. 

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management

Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated

Military commanders must ‘own’ cyber.  Networks and cyber [should be] the commanders’ business.”  Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]

There is a definite pattern here.   It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership.  This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed.   Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.

If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues.  This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.

This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc.  If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested.  This is not the way to operate.  Organizations and people will be hurt.  

Barry Schrager 

Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972.  The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources.  When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable.  So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States.  When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret.  Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor. 

In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley. 

Barry’s experience covers everything from software designer/developer to executive management to consulting services. 

Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame. 

Barry’s contact information is: / (970) 479-9377