What If Your CEO Is a Foolish Zebra?

June 4, 2013 - By Chris Larsen

Occasionally when I travel, I indulge in reading an old-fashioned paper edition of a newspaper. Last week, in Hong Kong, I happened across an interesting article in the Asia edition of the Wall St. Journal (linked here, so you don't have to go find it on paper).

The article discussed the unique security risks posed by CEOs. And it was directly relevant, since I was scheduled to speak at the Info-Security Conference the following day, on Foolish Zebras. (Foolish Zebras, for those in too big of a hurry to follow the link, are those users in your herd who seem to always make poor decisions about which e-mails and Web sites are trustworthy, and whose curiosity and/or bullheadedness often gets them into trouble.)

So I decided to reference the article in my talk. The response was interesting, but not unexpected.

 

The audience of IT leaders laughed when I summarized the article for them and asked, "So what do you do when your CEO is one of your Foolish Zebras?"

Several of them came up afterward to tell me stories: how their CEO had insisted that his Web browsing *not* be filtered, or how he'd had the bandwidth constraints eased or removed on his on-line video viewing. (For "research", of course.)

But I hadn't just been going for easy humor at the expense of CEOs. I seriously wanted to make a point, and to ask for suggestions. (None were forthcoming, by the way.)

 

An Awkward Situation

Clearly, there were plenty of CEOs out there who didn't want the IT Security people "spying" on their activity. Equally clearly, those IT Security people were uncomfortable "spying" on the senior executives.

And yet, those VIP Zebras are the very ones likely to be targeted by network intruders, as they typically are not as sophisticated in computer and network security as their IT staffers, and they usually have access to all of the "good stuff" that the intruders are after -- a winning combination, from the attackers' point of view.

 

To be fair to the CEOs, it's certainly not a good idea for everyone in IT to be able to read their e-mail, or look at the contents of their hard drive, or study their web traffic logs, just on a whim. But it's an incredibly foolish decision to go to the other extreme, and cite executive privilege as a reason to restrict access to all of that to just the CEO (and the Bad Guys).

Obviously, since the Bad Guys don't follow your corporate IT policies, someone on the Security team needs to have authorization to monitor the CEO's computer and network activity. (The situation reminds me of a programmer I met early in my career, who had a Top Secret clearance, since he worked on systems used in very sensitive places in government agencies, and there was no telling what sorts of documents he'd be exposed to in the course of troubleshooting the systems that managed and stored those documents. He took the responsibility very seriously, as you'd expect him to. A CEO should be able to expect the same level of professionalism from his senior IT staff.)

With those principles established, the only remaining question is how often the CEO's computer and network activity should be investigated, and under what circumstances.

 

Policy Recommendations

CEOs in high-security organizations, who recognize the (inadvertent) threat they could pose to their organization, might well choose to be proactive, and ask for regular monitoring.

For those less enthusiastic about the concept, I proposed to the audience in Hong Kong the following ideas:

- Use the "Foolish Zebra" principle to identify those zebras in your herd who will be serving as the unknowing volunteers in your intrusion early-warning system. (Their actual identities, of course, should be as anonymous as you can make them.)

- Next, add your CEO's identity -- also anonymously -- to the early-warning list. (Along with any other senior staff with access to sensitive intellectual property that you want to safeguard.)

- Make sure you add your top-level security and IT people to the VIP Zebra list. You are also high-value targets for the attackers, and you want to share exposure with the CEO and other senior staff, to get their buy-in.

- You want to have enough VIP Zebras on the list, that there is still a degree of anonymity in the logs -- even with their accounts distinguished from the normal zebras in some way.

- When security staffers find something worth investigating in the logs, if it's a regular Foolish Zebra, they can investigate normally. But, when it's one of the VIP Zebras, they have to turn the investigation over to senior security staff -- someone who is authorized to drill down into the specific traffic and files.

- And it's probably a good policy to inform VIP Zebras whenever a possible intrusion is being investigated; regular reminders about how seriously security needs to be taken are a Good Thing. (Who knows? You may actually be able to turn them into a Wise Zebra, over time!)

 

Well, I wasn't laughed off the stage, and no one threw anything at me, for making these suggestions; but maybe that's just a characteristic of a polite Hong Kong audience. So I'm interested to get some feedback on this.

If you have a criticism or suggestion (or a good War Story), send out a tweet with a hashtag of #FoolishZebraCEO, and tell the world your suggestion for what to do when a CEO is a Foolish Zebra.

--C.L.

@bc_malware_guy