Risky business.

AuthorHORTON, THOMAS R.

Directors must do whatever we can to safeguard our arguably most valuable asset -- information.

ALTHOUGH information systems are critical to business success, many CEOs regard them as the most difficult function to manage. Just to discuss this field requires some knowledge of the strange Cyberian language. Firm commitments routinely slip, and costs are less predictable than in other parts of the business.

Effective board oversight of information systems is also a challenge. The "digital divide" runs straight through the boardroom. The chief linkage of the board to the information technology function is often its audit committee, some of whose members may feel incompetent to provide sound oversight. Yet information is the lifeblood of most businesses.

A recent White House conference, sponsored by the United States' Critical Infrastructure Assurance Office and organized by the Institute of Internal Auditors and the National Association of Corporate Directors, issued a call to action for boards to take the lead in assuring information security. This task is more difficult today than ever, due to the world of connectivity that we so casually entered a few years ago. Once, the Internet was an interesting novelty. Today it is central to business strategy. Yet when we are connected to our customers and partners, we are connected to everyone else. The Internet was designed with sharing, not security, in mind. Our national information infrastructure was recently described as having been "cobbled together in the most accelerated technological improvisation ever experienced in human history...and is easily turned on itself to abuse and misuse information and deny essential services."

Last February's denial-of-service attacks on several leading Web sites (and the FBI!), while not the most serious of computer crimes, should have been a huge wake-up call to American business. Indeed, over a year ago security experts were alerted to the existence of a program, already in the hands of hackers, designed to automate such attacks. A cybercriminal, who leaves no fingerprints nor DNA, may be a terrorist, a disgruntled employee, a day trader, or just a bored teenager. Quite often, among the missing items is motive. Facing such challenges, what can we as directors do?

Being a director is not easy these days. In recent years we have had to learn about EVA, and derivatives, and Black-Scholes, and other mysteries. Surely we should not be asked to master the world of...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT