back to article How exec snatched $6m budget from his infosec team because he couldn't see ROI

The Australian Information and Security Association (AISA) is testing the security chops of 150 executives on Australian boards in an effort that may prove information security is only a "top priority" after a breach. It will take most of the year for the association to phone the executives in some of the nation's biggest …


This topic is closed for new posts.
  1. Notas Badoff

    Finish the 100 interviews, then revise the laws?

    "Another interviewed board member shrugged off the risk of fines .... opting instead to pay the watchdog's fines that could reach $1.7m, ..."

    More such honesty, please!

    Remember all the commentardery saying that fines should be replaced with or progress to jailing for C-level and board executives? We really need this progression to personal liability, as the only effective path to personal responsibility.

  2. ecofeco Silver badge

    Well there we have it

    So now we have proof that many companies really DON'T care that much about their IT security.

    1. Combat Wombat

      Re: Well there we have it

      I bet the (ex) CEO of Target cares a whole heap more than he did this time last year.

      1. Nicholas Roberts

        Re: Well there we have it

        Gregg Steinhafel's compensation on leaving Target will likely be 55 million plus. The Target 'hackers' generated only an estimated 53 million in stolen funds.

        Yeh, I'm sure Gregg is crying into his breakfast Bellini and Condor egg omelet about his decision to under-fund his IT/Infosec team.

    2. This post has been deleted by its author

  3. Scoular

    Executive responsibility

    Only when executives are held personally accountable for their actions or inactions will anything happen. Big companies have a history of deciding that paying fines or compensation years later is cheaper than doing anything. If it all goes wrong and people get their money stolen or even killed the company pays but never the executives so why would anyone expect them to be concerned.

  4. Combat Wombat

    A = Take the average number of detected hacks a year

    B = the rate of successful breaches

    C = The average cost of dealing with those breaches.

    A x B x C = X

    If X is less than the cost of paying the legal fines, then they won't finance security.

    The only time a company puts serious money into security is after they have been royally and totally owned (See Target in the US), and then it's really just for show until the rep is restored then they just cut it again.

    Fail.. for obvious reasons, but we really need a Tyler Durden Icon, with alt text of "A x B x C = X"

  5. Don Jefe

    Sales Proficiencies

    IT folk hate to hear it, but their continued refusal to adopt sales skills holds the entire industry back. Sales isn't just slick talking douchnozzles weasel wording money out of a customer. Sales is getting your boss to do what you want him to do. Sales is stopping the guy with the bosses ear from railroading your team into meeting his priorities instead of priorities set by the IT staff that enable company goals. Sales is getting that $6M back from the stupid exec plus an extra $250k for the hassle. Sales is understanding reality and altering it in a way that suits you.

    It drives me up the wall the number of startups I've talked to about their funding proposals and they think technical excellence is all they need. They're really fucking wrong. The best product in the world will make up about 30% of your business, the rest is down to customer facing strategies for sales and marketing and some finance.

    The ability to sell to customers, and the ability to sell to me is the #1 thing I look for in companies coming to us for funding. Great products never get to market because the people who developed the product can't, or won't, sell, or even try to learn. Shitty, or less than great anyway, products do get funding and do make lots of money because the people who developed them can, and will sell, or they've brought in people who can.

    Learn to sell and learn to like it, or be happy never having a voice in your own career.

    * As an aside, I'm willing to put money on the fact that the exec who said he pulled $6M of security funding is lying his ass off in an effort to look like his mental image of a financially responsible executive. I've never met a CEO who wouldn't fire the exec who said that within five minutes of his saying it. It's basic management that if you're going to take risks you never brag about doing it and risk a competitor or other not benevolent sorts exploiting whatever risk it is you've taken. The guy is full of shit.

    1. Mephistro

      Re: Sales Proficiencies (@ Don Jefe)

      "IT folk hate to hear it, but their continued refusal to adopt sales skills holds the entire industry back. "

      Sorry to disagree, but we could say something similar about execs "holding the industry back" by not learning IT skills -and by IT skills I don't mean been able to use Excel and Word to some extent. Or heart surgeons and anaesthesiologists, or...

      My point is that in this complex world, specialization is mandatory. If you hire the most convincing IT guy, chances are you're discarding the most experienced an knowledgeable, and that's a recipe for disaster.

      As for the risk assessments cited in the article, and given their sources, I'd say they're a bit on the optimistic side, as they don't seem to account for the potential PR backlash in case of a security breach.

      1. Mark 85 Silver badge

        Re: Sales Proficiencies (@ Don Jefe)

        I knew the owner of a very successful engineering company. He said he didn't need to know the engineering part, what he needed were the best engineers. If the engineers needed something, he made sure they got what they needed as long as they could explain the reason. There was a two-way street there on trust and communication. The difference between his company and some mega-corp is that his name was on the building and not beholden to "returning shareholder value" at all costs.

        Each side of this needs to be able to say what's needed, but the trust plays a big part. However, when risk assessment comes into play, common sense goes out the window and so do ethics. Remember the Ford Pinto? Ford knew the risks of the faulty fuel system but ignored it because risk assessment said it would be cheaper to settle any lawsuits out of court than fix the problem. Did they take a PR hit that hurt them? Look at the company over the years and you tell me. Target will recover but no real damage to the company will occur.

        The real pity is that there's not some way of holding the yo-yo's at the top accountable since the Board tends to cover each other's butts and all the shareholders want is the profit. If the company goes under, the shareholders and board all go somewhere else.

        1. A Non e-mouse Silver badge

          Re: Sales Proficiencies

          long as they could explain the reason

          Exactly. Blaming the board because they don't understand all the intricacies & technicalities isn't all their fault. It's our fault for not explaining it to them clearly. Sure, the board has to be willing to engage, but just lobbing technobable at them isn't going to help IT's cause.

          You have to remember that a company's board are not employed to be IT experts, they're employed to be experts in running a business. (Whether they are any good is another mater, just like any employee)

      2. Bluenose

        Re: Sales Proficiencies (@ Don Jefe)

        You must have a lot of fun when abroad, tell me do you shout loudly whilst speaking slowly?

        The board is full of people who think they know about business and their focus is on making money (allegedly for the shareholders but predominantly for them). The company (business) is their country and IT is the foreigner so the foreigner needs to learn to talk their language not the other way round.

        1. Don Jefe

          Re: Sales Proficiencies (@ Don Jefe)

          I do have a lot of fun abroad. I suppose I do speak loudly, I'm rather hearing impaired from a misspent youth and years of forgetting hearing protection in manufacturing environments. I've never had anyone begrudge me that though.

          Probably because they like what I have to say. I'm not there to be buddies or see how much work I can not do, I'm there to make money by helping my clients and our startup investments make more money. Because that's why people go into business, to make money. You understand that, right?

          I get to fly all over the world, at the clients expense, and before the deal is done I've given them a price 15-20% above what they budgeted for and a timeline that's sometimes years longer than they anticipated and they are happy as hell. Because they've been educated (sold) on what I'm going to provide them, they know why it costs so much, why it's going to take so long to deliver it and I've got clients in nearly every sector of advanced manufacturing who love to show silly spendthrifts how much money they saved by spending so much more than they originally wanted to.

          You don't get to ignore people's budgets and timelines and have them willing to do sales for you (free I might add) unless you've sold them on the idea that they're making the right decision and delivering a product far superior to what they originally wanted. Hell, I'm the no bid contracor for a variety of components used in the high energy research projects of State sponsored research laboratories all over the planet. Directors of National Labs won't even consider buying from low grade suppliers like Thales, BAE, Lockheed or Boeing, even though they are significantly cheaper. That's becsuse I've sold them on the facts that we're better. If better is what they really want then they need to find the extra money, that's not my problem.

          So you sit there whining because your peers go on to do the things you want to do. Bitch about how the people making money and running their own lives, careers and businesses don't know anything about business. Whichever one of you and your anti sales cronies are the last out the same door you've been going through for the last decade, do make sure and turn the lights off before you waddle home.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sales Proficiencies

      On that note, any recommendations for books or online training for sales skills?

      My company won't make sales training available to it's technical staff (have asked several times), so I'm self learning as time permits. Nothing so far seems very practical though. :(

      1. Vic

        Re: Sales Proficiencies

        On that note, any recommendations for books or online training for sales skills?

        Here you go


      2. 2Fat2Bald

        Re: Sales Proficiencies

        Try a book called "How to win friends and influence people".

        Some of the language and examples in it are a bit dated now, but the basic principles and ideas in it are spot on. Once you've read it you'll see all sorts of sales people trying to use the techniques all the time. Generally the less transparent they are about it, the more they earn but they all use these techniques and it's generally regarded as the seminal work on them.

        Helped me no end in my career. Although I sometimes think my "inner geek" is holding me back.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sales Proficiencies

          Ugh. That's not a sales book in the slightest. It's a human relations book. (a good read mind you, just not at all on topic)

    3. Bluenose

      Re: Sales Proficiencies

      Back in the '80s there was talk of developing what were called hybrid managers to work in IT. These would be senior people who would bridge the gap between the business and this new place called the IT department. Regrettably the only companies who have actually managed to implement this model of the IT companies themselves. Companies like Google and Amazon (and yes I do see Amazon as an IT company).

      Meantime the rest of the business world has looked at IT and identified that it can be used to get rid of people, do things faster whilst reducing the costs and as something they HAVE to do but don't really understand why. Security however is not something they understand unless it has a value associated with it that lets them see why it is important. For example if you have a warehouse full of goods that will be sold the value of paying £7 - £8 per hours for a security guard is a good security investment (value of lost goods minus guards salary = profit).

      The same is also true for IT security lost value of company strategy minus cost of computer security equals profit. Exposure of company strategy plus head start of competitors = big loss. These are simple conversations and should be straightforward to have. Why we don't have them is strange because I can guarantee that every company worth its salt is currently getting its lawyers to include clauses in contracts that say if the supplier is responsible they will accept unlimited liability for data loss.

  6. Mr. Chuck

    There's nothing startling about this. Information security is intended to mitigate business risk. If the cost of an infosec FAIL + fines is less than the cost of fixing it, doing nothing makes perfect sense from the standpoint of a board member. Most people are using windows and so are accustomed to computers not working properly. No particular stigma attaches once the headlines have wrapped the chips.

  7. Anonymous Coward
    Anonymous Coward

    IT is expected to also speak in the language of business....

    ... when can we expect some of these highly paid execs to learn some IT language too

    1. Don Jefe

      Re: IT is expected to also speak in the language of business....

      That's pushing responsibility onto someone else. That's the quickest way possible to not get your way. If you aren't in a position to make business related decisions then it's part of your job to communicate what you need to the people who can provide it, in a way that resonates with them.

      If you want things to be different it's got to be you that drives that change. Unless staff are willing to work with the business and do their best to make things easier for the people who sign your paychecks then there's simply no valid reason to screw around with them. People like that are interchangeable. You just let them quit then hire an identical replacement. There certainly isn't a shortage of IT people with great skills and piss poor attitudes you know.

  8. smudge

    No appetite

    "...Masters said infosec bods would score resources if they pitched projects against the specific risk appetite of the board.

    "[Approval] depends on where a potential breach sits within the specific risk appetite of a business," Masters told The Register.

    "If they show ROI in this language, they will succeed."

    Masters said this was a guaranteed ROI recipe."

    Just one teensy problem. The part of an extremely large household-name company that I am currently working for:

    - has no idea what "risk appetite" is

    - doesn't see why they should have one

    - doesn't see why they should have to accept any risk.

    1. Bluenose

      Re: No appetite

      So their risk appetite is to avoid all risk. There see they do have a risk appetite whether they know it or not. Everyone has a risk appetite just because they don't know what it means does not mean it doesn't exist.

      The next step is to point out to them that they cannot avoid all risk (it is an impossibility as Donald Rumsfeld who said it all when talking about the unknown risks that we don't know about rather than the unknown risks we do).

      Next point out that a failure to address security will allow someone to steal all their money leaving them with a set of accounts that the auditors won't sign off on.

      Finally write to the company auditors explaining where the security risks are in the financial systems and watch the fireworks start.

      1. Don Jefe

        Re: No appetite

        If you write the auditors instead of altering your communications in a way that progresses through the company chain of command you deserve to be fired. I fucking hate firing people, but going outside the chain of command simply because you are incapable or, more likely, unwilling to adjust your message to get the results you want you've got zero business attempting to address any risks.

        I've never met an auditing firm or board member who wouldn't take your message straight to your CEO and identify you as the problem. Everybody with common sense knows that taking an operational issue to strategic management is a stupid idea to begin with. It's doubly stupid if it's a general staffer doing it.

        I'm a nice guy, and if you apologized I would let you back in the industry. Otherwise you'd have to leave the country to find another job in whatever industry you're in. But I wouldn't sue you. Which I could do, and I would win. I could sue the auditors you wrote if they didn't report your actions, and I would win. You might even go to jail. See, if you aren't reporting something illegal, it's illegal to pass sensitive company information to others without specific authorization. Bet you didn't know that did you? If you're not sure shoot a note to your legal department.

        You should also stop encouraging others to kill their careers and break the law. That's not cool.

        1. Vic

          Re: No appetite

          I've never met an auditing firm or board member who wouldn't take your message straight to your CEO and identify you as the problem. Everybody with common sense knows that taking an operational issue to strategic management is a stupid idea to begin with.

          I was contracting at a large company a few years back when I noticed that their entire product line was based on unlawful copyright infringement[1] - "software piracy" in the vernacular. I took the issue to management.

          They tried to walk me off site[2].

          Two and a half years later, I finally got to talk to someone who would look at the problem - a senior manager. And he agreed with me.

          But nothing's been done. And as I'm no longer there, it probably won't be.

          So the upper management are busy risking their *entire* product line because they can't be arsed to do a little compliance.

          It worries me when such "important" people cannot see the risk they are taking...


          [1] They are using a *lot* of GPL code, but refuse to abide by the licence. I even offered to sort it out on my own time for nothing - they didn't want to know.

          [2] They failed...

          1. Anonymous Coward
            Anonymous Coward

            Re: No appetite

            So, VMware then?

  9. LDS Silver badge

    Post the "escorts" sites the executives visit each day...

    .... they will soon understand what security means.

  10. dan1980

    Won't somebody think of the . . .

    Let's put aside the "IT need to talk 'exec' and sell their proposals better" angle.

    I hear Don, above, and I understand what he is saying. I also happen to agree with him. As an IT bod, you are employed to assist the business by using your technical expertise - just like any other specialist. If it's your (expert) opinion that the business will be best served by X then damned well do your darndest to make sure X happens.

    Okay, now I'm ready to put that aside . . .

    Doing so, let's turn to WHY these regulation exist. They don't exist so a board can realise a compelling ROI, nor so that an IT staffer can take control of his job; they exist to protect the public, by protecting their information.

    The problem here is not that IT haven't sold it well enough, but that the privacy commissioner and those who are making these laws, haven't sold them well enough - the price is wrong. They need to understand that businesses are wont to see such fines as simply a cost of doing business. That is where punitive damages come n.

    Such damages are awarded by a court in cases of business malpractice in part to discourage businesses seeing fines as a line item in their budget, offset by the money they save by being dicks. It happens in insurance cases where particular bad will has been shown. (Though not enough.)

    They way to redress this is to make the risk of non-compliance higher than the cost of compliance.

    The commissioner has to ask why these laws and regulation exist in the first place. If the goal is to protect the public (and it should be) then they need to get serious and impose fines that are actually a deterrent. After all, if, I have my identity 'stolen' then I the inconvenience, cost and stress to me is likely to be FAR more, comparatively, than the inconvenience, cost and stress or having to pay a (max) AUD 1.3m fine is to the company forced to pay it. Multiply that by the number of people affected by the hypothetical breach and $1.3m may well start to seem laughable.

    Short version?

    The penalties for putting your customers at risk must be severe enough to prevent companies being able to write it off as business cost.

  11. Terry 6 Silver badge


    "He said one customer helped prove infosec ROI by supplying his chief information officer with reports on the number of blocked attacks, with estimated costs should those breaches have been successful..."

    I was shocked by the idea that some/many/most IT departments don't do this.

    Surely that's the main part of the job. Not writing procedures, not watching the lights flashing on the server, but evaluating risk and reporting outcomes.

    I worked for a local authority. I was that hybrid manager spanning the IT support and the service management ( while working in my own non-IT area of expertise).

    And identifying security of data, evaluating risk etc was my first priority.

  12. Chris Miller

    So what's the ROI on your fire insurance? It's either zero (if you didn't have a fire) or something humongous.

  13. JeeBee

    The return on investment for having adequate security measures in place should be being allowed to stay in business (i.e., companies that do not invest in security are shut down by the government, I might even allow the companies' one shot at fixing their problems before being shut down).

  14. dan1980


    It seems that very little short of that will be able to convince businesses to give a damn.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021