Posts Tagged ‘Information’
Advertising – Precious Information Or Vicious Manipulation?
Is advertising the ultimate means to inform and help us in our everyday decision-making or is it just an excessively powerful form of mass deception used by companies to persuade their prospects and customers to buy products and services they do not need? Consumers in the global village are exposed to increasing number of advertisement messages and spending for advertisements is increasing accordingly.
It will not be exaggerated if we conclude that we are ’soaked in this cultural rain of marketing communications’ through TV, press, cinema, Internet, etc. (Hackley and Kitchen, 1999). But if thirty years ago the marketing communication tools were used mainly as a product-centered tactical means, now the promotional mix, and in particular the advertising is focused on signs and semiotics. Some argue that the marketers’ efforts eventually are “turning the economy into symbol so that it means something to the consumer” (Williamson, cited in Anonymous, Marketing Communications, 2006: 569). One critical consequence is that many of the contemporary advertisements “are selling us ourselves” (ibid.)
The abovementioned process is influenced by the commoditisation of products and blurring of consumer’s own perceptions of the companies’ offering. In order to differentiate and position their products and/or services today’s businesses employ advertising which is sometimes considered not only of bad taste, but also as deliberately intrusive and manipulative. The issue of bad advertising is topical to such extent that organisations like Adbusters have embraced the tactics of subvertising – revealing the real intend behind the modern advertising. The Adbusters magazine editor-in-chief Kalle Lason commented on the corporate image building communication activities of the big companies: “We know that oil companies aren’t really friendly to nature, and tobacco companies don’t really care about ethics” (Arnold, 2001). On the other hand, the “ethics and social responsibility are important determinants of such long-term gains as survival, long-term profitability, and competitiveness of the organization” (Singhapakdi, 1999). Without communications strategy that revolves around ethics and social responsibility the concepts of total quality and customer relationships building become elusive. However, there could be no easy clear-cut ethics formula of marketing communications.
ADVERTISING – PRESCIOUS INFORMATION OR VICIOUS MANIPULATION?
In order to get insights into the consumer perception about the role of advertising we have reviewed a number of articles and conducted four in-depth interviews. A number of research papers reach opposed conclusions. These vary from the ones stating that “the ethicality of a firm’s behavior is an important consideration during the purchase decision” and that consumers “will reward ethical behavior by a willingness to pay higher prices for that firm’s product” (Creyer and Ross Jr., 1997) to others stressing that “although consumers may express a desire to support ethical companies, and punish unethical companies, their actual purchase behaviour often remains unaffected by ethical concerns” and that “price, quality and value outweigh ethical criteria in consumer purchase behaviour” (Carrigan and Attalla, 2001). Focusing on the advertising as the most prominent marketing communication tool we have constructed and conducted an interview consisting of four themes and nine questions. The conceptual frame of this paper is built on these four themes.
THEME I. The Ethics in Advertising
The first theme comprises two introductory questions about the ethics in advertising in general.
I.A. How would you define the ethics in advertising?
The term ethics in business involves “morality, organisational ethics and professional deontology” (Isaac, cited in Bergadaa’, 2007). Every industry has its own guidelines for the ethical requirements. However, the principal four requirements for marketing communications are to be legal, decent, honest and truthful. Unfortunately, in a society where the course of action of the companies is determined by profit targets the use of marketing communications messages “may constitute a form of social pollution through the potentially damaging and unintended effects it may have on consumer decision making” (Hackley and Kitchen, 1999).
One of the interviewed respondents stated that “the most successful companies do no need ethics in their activities because they have built empires.” Another view is that “sooner or later whoever is not ethical will face the negative consequences.”
I.B. What is your perception of the importance of ethics in advertising?
The second question is about the importance of being moral when communicating with/to your target audiences and the way consumers/customers view it. In different research papers we have found quite opposing conclusions. Ethics of business seems to be evaluated either as very important in the decision making process or as not really a serious factor in this process. An example of rather extreme stance is that “disaster awaits any brand that acts cynically” (Odell, 2007).
It may seem obvious that the responsibility should be carried by the advertiser because “his is the key responsibility in keeping advertising clean and decent” (Bernstein, 1951). On the other hand the companies’ actions are defined by the “the canons of social responsibility and good taste” (ibid.). One of the interviewees said:
“The only responsible for giving decent advertising is the one who profits at the end. Company’s profits should not be at the expense of society.”
Another one stated that “our culture and the level of societal awareness determine the good and bad in advertising”.
The increased importance of marketing communications ethics is underscored by the need of applying more dialogical, two-way communications approaches. The “demassification technologies have the potential to facilitate dialogue”, but the “monologic” attitude is still the predominant one (Botan, 1997). Arnold (2001) points out the cases of Monsanto and Esso which had to pay “a price for its [theirs] one-way communications strategy”. In this train of thought we may review ethics in advertisements from two different perspectives as suggested by our respondents and different points of view in the reviewed papers. The first one is that it is imperative to have one common code of ethics imposed by the law. The other affirms the independence and responsibility of every industry for setting its own standards.
THEME II. Which type of regulation should be the leading one in the field of advertising?
The next theme directs the attention towards the regulation system which should be the primary one. Widely accepted opinion is that both self regulation and legal controls should work in synergy. In other words the codes of practice are meant to complement the laws. However, in certain countries there are stronger legal controls over the advertising, e.g. in Scandinavia. On the other hand the industry’s self regulation is preferred in the Anglo-Saxon world. Still, not everyone agrees with the laissez-faire concept.
One of our respondents said:
“I believe governments should impose stricter legal frame and harsher punishment for companies which do not comply with the law.”
Needless to say, the social acceptability varies from one culture/country to another. At the end of the day “good taste or bad is largely a matter of the time, the place, and the individual” (Bernstein, 1951). It would be also probably impossible to set clear-cut detailed rules in the era of Internet and interactive TV. Therefore, both types of regulation should be applied with the ultimate aim of reaching balance between the sacred right of freedom of choice and information and minimizing possible widespread offence. Put differently, the goal is synchronising the “different ethical frameworks” of marketers and “others in society” in order to fill the “ethics gap” (Hunt and Vitell, 2006).
THEME III. Content of Advertisements.
Probably the most controversial issue in the field of marketing communications is the content of advertisements. Nwachukwu et al. (1997) distinguish three areas of interest in terms of ethical judgment of ads: “individual autonomy, consumer sovereignty, and the nature of the product”. The individual autonomy is concerned with advertising to children. Consumer sovereignty deals with the level of knowledge and sophistication of the target audience whereas the ads for harmful products are in the centre of public opinion for a long time. We have added two more perspectives to arrive at five questions in the conducted interviews. The first one concerns the advertisement that imply sense of guilt and praise affluence that in the most cases cannot be achieved and the second one is about advertisements stimulating desire and satisfaction through acquisition of material goods.
III.A. What is your attitude towards the advertisement of harmful products?
A typical example is the advertisement of cigarettes. Nowadays we cannot see slogans like “Camel Agrees with Your Throat” (Chickenhead, accessed 25th September 2007) or “Chesterfield – Packs More Pleasure – Because It’s More Perfectly Packed!” (Chickenhead, accessed 25th September 2007). The general advertisement, sponsorship and other marketing communications means are already prohibited to be used by cigarette producers. Surprisingly, most of the answers of the respondents were not against the cigarettes advertisement. One of the respondents said:
“People are well informed about the consequences of smoking so it is a matter of personal choice.”
As with many other contemporary products the shift in communications messages for cigarettes is oriented towards symbol and image building. The same can be said for the alcohol ads. A well-known example of emotional advertising is the Absolut Vodka campaign. From Absolut Nectar, through Absolut Fantasy to Absolut World the Swedish drink actually aims to be Absolut… Everything.
Advertising of hazardous products is even more harshly criticised when it is aimed at audiences with low individual autonomy, i.e. children. Two main issues in this respect are the manipulation of cigarettes and alcohol as “the rite of passage into adulthood” and the fact that “sales of health-hazardous products (alcohol, cigarettes) develop freely without much disapproval” (Bergadaa, 2007).
III.B. What is your attitude towards the advertisement to children?
Children are not only customers, but also consumers, influencers and users in the family Decision-Making Unit (DMU). Additional difficulty is that they are too impressionable to be deciders in the DMU. At the same time it is not a secret that marketers apply “the same basic strategy of trying to sell the parent through the child’s insistence on the purchase” (Bernstein, 1951). It is not a surprise then that “spending on advertising for children has increased five-fold in the last ten years and two thirds of commercials during child television programs are for food products” (Bergadaa 2007). In the US alone children represent a direct purchases market of $24 billion worth (McNeal cited in Bergadaa, 2007) which certainly is on the top of the agendas of many companies. While exploiting children’s decision-making immaturity advertisers often go too far in dematerialising their products and “teleporting children out of the tangible and into the virtual world of brand names” (Bergadaa 2007). Teenage virtual worlds like Habbo where snack food brands run advertising campaigns are already a fact of life (Goldie, 2007). The imaginative worlds are popular not only online. Hugely successful for creating a fantasy world is Mc Donald’s. The company tops the European list of kids’ advertisers while more than half of the children’s adverts are for junk food.
In some countries there are harsher restrictions to the children advertising.
• “Sweden and Norway do not permit any television advertising to be directed towards children under 12 and no adverts at all are allowed during children’s programmes.
• Australia does not allow advertisements during programmes for pre-school children.
• Austria does not permit advertising during children’s programmes, and in the Flemish region of Belgium no advertising is permitted 5 minutes before or after programmes for children.
• Sponsorship of children’s programmes is not permitted in Denmark, Finland, Norway and Sweden while in Germany and the Netherlands, although it is allowed, it is not used in practice.” (McSpotlight, accessed 20th September 2007).
According to a research by Roberts and Pettigrew (2007) the most frequent themes in children advertising are “grazing, the denigration of core foods, exaggerated health claims, and the implied ability of certain foods to enhance popularity, performance and mood.” But the junk food is not the only reason for parents’ preoccupation. According to a study of Kaiser Family Foundation (Dolliver, 2007) parents are concerned about the amount of advertising of the following products (in order of importance): toys, video games, clothing, alcohol/beer, movies, etc.
The interviewed respondents were unanimous: “The advertising to children should be strictly monitored.” Similar results were obtained in surveys by Rasmussen Reports and Kaiser Family Foundation. Nevertheless, the legal means are just one part of the children’s protection. The other part involves “the decision-making responsibility of parents and teachers” which is “to assist their children in developing a skeptical attitude to the information in advertising” (Bergadaa 2007). The marketers themselves should also be involved in shaping the moral system of our future and “each brand should have its own deontology – a code of practice regarding children – rather than rely on industry codes” (Horgan, 2007).
III.C. Do you think there are many misleading, exaggerating and confusing advertisements. Are many ads promising things that are not possible to achieve?
It will not be exaggerated to state that advertising is in a sense “salesmanship addressed to masses of potential buyers rather than to one buyer at a time” (Bernstein, 1951). Since “salesmanship itself is persuasion” (ibid.) we cannot merely blame advertisers for pursuing their sales goals. However, in the last twenty years or so advertisers have increasingly applied semiotics in their messages and as a consequence ads have begun to function more and more as symbols. One extreme case in this stream of advertising is the creation of idealised image of a person who uses the advertised product. Bishop (2000) draws our attention to two “typical representatives of self-identity image ads” which entice consumers to project the respective images to themselves through use of the products:
- “The Beautiful Woman”;
- “The Sexy Teenagers.
Through setting of such stereotypes advertisers not only mislead the public and exaggerate the effects of products but also provoke low self-esteem in consumers. At the same time they promise results that in most cases are simply impossible to achieve. Instead of promoting “‘glamorous’ anorexic body images” communication messages should use “varied body types” and should drop the idea of the “impossible physical body images” (Bishop, 2000).
To question III.C one of the respondents commented:
“The customers of these products [the ones advertised through thin models] are mostly people who do not have the same physical characteristic. For me, this type of advertising is deliberately aimed at people to make them feel not complete, far from attractive social outsiders.”
However, another interviewed stated that: “every person has his own way of evaluating what is believable and what is misleading. Consumers are enough sophisticated to know what is exaggerated.”
Similarly, Bishop (2000) concludes that “image ads are not false or misleading”, and “whether or not they advocate false values is a matter for subjective reflection.” The author argues that image ads do not interfere with our internal autonomy and if people are misled, it is because they want it. It is all about our free choice of behaviour and no advertisement can modify our desires. Perhaps, the truth lies somewhere in-between the two extreme positions.
III.D. What is your attitude towards advertisement that imply sense of guilt, and praise affluence that in the most cases cannot be achieved?
A more specific case of controversial advertising is the one used to “promote not so much self indulgence as self doubt”; the one that “seeks to create needs, not to fulfill them: to generate new anxieties instead of allaying old ones” (Hackley and Kitchen, 1999). A response of our interviewee reads:
“It is not only a matter of advertising. It has to do with the social inequality and the desire to possess what you can not.”
Hackley and Kitchen (1999) refer to this discrepancy as to “when reality does not match the image of affluence and the result is a subjective feeling of dissonance”. The issue could be elaborated further through the next question.
III.E. Are advertisements stimulating desire and satisfaction through acquisition of material goods moral?
We live in a society which is more or less marked by materialism. Advertisements are often blamed to fuel consumption which is allegedly leading to happiness. The role of promoting satisfaction through acquisition of material goods has become so important that currently the “media products are characterised by relativism, irony, self referentiality and hedonism” (Hackley and Kitchen, 1999). Is the popular saying “those who die with most toys win” really a motivator in consumers’ behavior and could consumption be the cure of emotional dissonance? This seems to be the case provided a brand succeeds to enter in the evoked set of consumer choices. This new “kind of materialism” goes hand in hand with “the emergence of individualism via sheer hedonism along with narcissism and selfishness” (Bergadaa 2007).
THEME IV. Is the quantity of advertisements justified?
IV.A. Do you think there is too much advertising?
An audit of food advertising aimed at children in Australia by Roberts and Pettigrew (2007) revealed that “28.5 hours of children’s television programming sampled contained 950 advertisements.” Actually, we all are being bombarded by ads on TV, Internet, print media, etc. The amount and content of marketing communications messages puts the consumer’s information processing capacity to a test. The exposure to marketing data overload often leads to diluted consumer’s selective perception. Whether our responses are circumscribed by “confusion, existential despair, and loss of moral identity” or we “adapt constructively to the [communications] Leviathan and become intelligent, cynical, streetwise” (Hackley and Kitchen, 1999) is a question open to debate.
Two opposite streams of attitudes were produced in our research. One stance is concerned with the undue quantity of advertisement. The other stream proclaims that “If there is an advertisement, so it is justified by a need.” We agree that the communications overload may indeed have “pervasive effect on the social ecology of the developed world” (Hackley and Kitchen, 1999). If the increasing communication pollution is not managed properly by both legal and industry points of view yet again the advertising will manage “to hoist its foot to its own mouth and kick out a couple of its own front teeth” (Bernstein, 1951).
CONCLUSION
In preparation of this paper we have used qualitative depth interviews in order to get insights for what actual customers opine. We have also substantiated our presentation with references to a number of influential articles in the field of ethics in marketing communications. Generally, our respondents as well as various authors have taken two opposing stances. The first one affirms that ethics in marketing communications matters considerably, whereas the other one downsizes the importance of ethics, thereby stressing the role of other factors in consumer decision-making, i.e. price, brand loyalty, convenience, etc.
Marketers should understand their “responsibility for the emerging portrait of future society” (Bergadaa 2007). Not only there is a need of legal ethical frame but also professional ethical benchmarks and deontology should be in place. One of the main challenges is to avoid creating “a happy customer in the short term”, because “in the long run both consumer and society may suffer as a direct result of the marketer’s actions in ’satisfying’ the consumer” (Carrigan and Attalla, 2001).
The strength of the advertisement influence exerted on consumers is only one part of the equation. On the other hand we may affirm that consumers are not morally subservient and according to the information process models there is a natural cognitive defense. The communications tools “offer us a theatre of our own imagination” (Hackley and Kitchen, 1999). Consequently, we accept the reality in terms of our own experiences. In this sense marketers do not create reality – they are simply a mirror of the society. We may argue that unfortunately this is not always the case.
Advertising is often deservedly seen as the embodiment of consumer freedom and choice. Notwithstanding this important role, when the choice is “between one candy bar and another, the latest savoury snack or sweetened breakfast cereal or fast food restaurant” (McSpotlight, accessed 20th September 2007) it represents anything else but not an alternative and certainly not a healthy one.
The words of Bernstein (1951), said fifty-six years ago are still very much a question of present interest: “It is not true that if we ’save advertising, we save all,’ but it seems reasonable to assume that if we do not save advertising, we might lose all.”
REFERENCES:
Anonymous (2006). Module Book 6, Marketing Communications, University of Leicester.
Arnold, M. (2001). Walking the Ethical Tightrope (Marketing Corporate Social Responsibility), Marketing, 7/12/1001, p. 17.
Bergadaa M. (2007). Children and Business: Pluralistic Ethics of Marketers, Society and Business Review, Vol. 2, No. 1, pp. 53-73.
Bernstein, S. R. (1951). Good Taste in Advertising, Harvard Business Review, Vol. 29, No. 3, pp. 42-50.
Bishop, J. D. (2000). Is Self-Identity Image Advertising Ethical?, Business Ethics Quarterly, Vol. 10, No. 2, pp. 371-398.
Botan, C. (1997). Ethics in Strategic Communication Campaigns: The Case for a New Approach to Public Relations, Journal of Business Communication, Vol. 34, No. 2, pp. 188-202.
Carrigan, M. and Attalla, A. (2001). The Myth of the Ethical Consumer – Do Ethics Matter in Purchase Behaviour?, Journal of Consumer Marketing, Vol. 18, No. 7, pp. 560-577.
Chickenhead, ‘Truth in advertising’. Online. Available at: chickenhead.com/truth/chesterfield6.html (accessed 25th September 2007).
Chickenhead, ‘Truth in advertising’. Online. Available at: chickenhead.com/truth/camel1.html (accessed 25th September 2007).
Creyer, E. H. and Ross Jr. W. T. (1997). The Influence of Firm Behavior on Purchase Intention: Do Consumers Really Care About Business Ethics?, Journal of Consumer Marketing, Vol. 14, No. 6, pp. 421-432.
Dolliver, M. (2007). A Parental Dim View of Advertising, Adweek, Vol. 48, No. 26, pp. 25.
Goldie, L. (2007). Brands Free To Use Virtual Worlds To Target Kids, New Media Age, 8/9/2007, p. 2.
Hackley, C. E. and Kitchen P. J. (1999). Ethical Perspectives on the Postmodern Communications Leviathan, Journal of Business Ethics, Vol. 20, No. 1, pp. 15-26.
Horgan, S. (2007). Online Brands Need Their Own Ethical Guidelines, Marketing Week, Vol. 30, No. 26, p. 30.
Hunt, S. D. and Vitell, S. J. (2006). The General Theory of Marketing Ethics: A Revision and Three Questions, Journal of Macromarketing; Vol. 26, No. 2, pp. 143-153.
McSpotlight, ‘Advertising to children, UK the worst in Europe’ Online. Available at: mcspotlight.org/media/press/food_jan97.html, (accessed 20th September 2007).
Nwachukwu, S.L.S, Vitell, Jr. S.J., Gilbert, F.W., Barnes, James H. (1997). Ethics and Social Responsibility in Marketing: An Examination of the Ethical Evaluation of Advertising Strategies, Journal of Business Research, Vol. 39, No. 2, pp. 107-118.
Odell, P. (2007). Marketing under the Influence, Promo, Vol. 20, No. 6, p. 27.
Roberts, M. and Pettigrew, S. (2007). A Thematic Content Analysis of Children’s Food Advertising, International Journal of Advertising, Vol. 26, No. 3, pp. 357-367.
Singhapakdi, A. (1999). Perceived Importance of Ethics and Ethical Decisions in Marketing,
Journal of Business Research, Vol. 45, No. 1, pp. 89-99.
Stanford University, ‘Alcoholic Advertisements’. Online. Available at: stanford.edu/class/linguist34/advertisements/alcohol ads/index.htm, (accessed 20th September 2007).
Vintage Virginia Slims, Online. Available at: freenet-homepage.de/mshel120/vintage/vintage-vs.html, (accessed 25th September 2007).
Small Business Information You Should Know
What are small businesses?
Small businesses are businesses with less staff. The staff limit is different for different areas. These businesses are generally owned by individuals or are started in partnerships. Other criterions to decide small businesses are the turnover and profit. The less is the turnover or the profit, the smaller is the business. The smallest businesses are called as ‘micro businesses’ and those managed by families are called as ‘mom’s and pop’s business’. These smaller businesses generally have employees in number from 0 to 10. Many a times, the owners are the workers in these businesses.
Advantages in small business:
The basic advantage of starting a small business is that you need less capital and money to start the business. Also, one can start a small business on part time basis. The basics of a successful business are the regular modifications that one does to it. In small businesses these modifications can be easily done as one does not need to follow any trend or face any compulsions in small business unlike in big businesses. Also, a small business can give much more to its customers than a big one as they have the power to provide each and every customer the required personal attention and take into account all the suggestions and even implement some of them. Small businesses provide daily bread to many a people and thus are very important.
Marketing small businesses:
The most common methods of marketing small businesses are customer referrals, mouth publicity, radios, newspapers, internet, directories, boards, etc. Television ads can be a bit expensive for advertising small businesses. Internet marketing is considered the most cost effective and result oriented method of marketing small businesses. The ads can be placed on websites or even search engine web pages. The costs are decided on the size of the ad and thus can be easily moderated.
Small business ideas:
- Franchisee business: this is one of the extremely profitable ideas of a small business. The only things that you need to start this business are a place and some capital. The best part of this business is that the things that you sell are already quite famous in the market and thus you need to do very little expenses on the marketing.
- Event planner: if you know the knack of organizing things perfectly, then you can become an event planner. You need to plan out meetings, parties, weddings and other such get-together for your customers in the given budget. The best part of this job is that it is extremely interesting and your work does the marketing for you.
- Computer repair: if you have done any hardware or software course or have learned any computer language then you can start the work of computer repairing. You just need to sort out simple problems in computers. The best part of this job is that you get to learn a lot more than you have about computers. But, you should do only the work that you can manage and avoid doing any guess work.
Information Security and Business Management: The History and Reality of Misconceptions, recommend, new approach
We published an article in Information Security Journal: A Global Perspective, 17:1 – 6, 2008 “General Misconceptions about Information security Lead to Insecure World” [1]. We would like to return to its ideas and discuss them from a slightly different perspective as problems we identified are large in scope and cannot be addressed in a single article.
The evolution of Information Systems (InfoSys) and information exchange opportunities caused the Dark Force to adopt and evolve its weapons from simple boot sector viruses and cunning social engineering to botnets and Hacking Services Industry (HSI) establishment. The latter grows in parallel with Information Security (InfoSec) Industry and has its own research and development, services and information for sale and, as the result, profits measured in billions of dollars.
Continuous InfoSec failures both in government and commercial systems are raising questions not just about mishandling, sloppiness, or incompetence, but also whether basic InfoSec concepts as we know them are in fact correct. We need to reevaluate the way we go about security business as a whole.
We identified the problem as utilization of InfoSys methods and principals of operation in a completely different business as InfoSec.
Being Reactive or Proactive?
We need to admit that HIS is always one step ahead of InfoSec, excepting when FBI or international enforcement authorities apprehended a few hackers. In general, InfoSec is reactive by its nature, as we understand it. It started its existence as a defensive system, fixing problems and finding a technology solution to new threats or overwhelming attacks.
Staying on the defensive means a PR-wise disadvantageous position. As the results of this, the battles are judged based on successful hacking attacks, and the fact that majority of the attacks fail due to defense is often overlooked.
Almost all current InfoSec technologies are defense-based meaning “reactive”: firewalls, IDS/IPS, anti-malware measures, etc. What could be proactive in this case? For instance, anti-bot searching software like web robots, which scan the Internet for botnets.
Such “reactive” approach is coming from InfoSys, which was, is, and will be business oriented set of naturally “reactive” services. InfoSec has its roots in InfoSys, and very often their roads cross paths. However, InfoSys and Infosec are different. Thus, we need to move forward with completely different methods based on InfoSec needs. Otherwise, the battle will always be lost to a more proactive enemy.
There were some attempts to develop methods of active defense, but the problem extends beyond technology. There is no legal basis such active defense, and legal issues are expected to arise.
Our Vision: Active InfoSec defense should be legally permitted in this country, and the rest of the world will follow. We need to utilize offensive methods in addition to defensive.
Separation of duties
Separation of duties is one of the basic security principals. The discussion of the managerial separation of InfoSys and InfoSec took quite a while before settling. A majority of security professionals agreed that two services should be divided. However, each organization arbitrarily determines for itself what kind of division is better. Unfortunately, InfoSys management usually considers InfoSec as a branch of InfoSys with all the following implications. It is very traditional point of view, and as we discussed above, came from early days of InfoSec.
Money also matters. Bigger budget means more power to control. The opinion of InfoSys management is that the security is “business oriented service”, and should stay bound to InfoSys. We anyway see InfoSec as Security service, not as “business oriented” one. It should be completely separated from InfoSys management even if management claims that organization cannot afford it. We think that if an organization has an InfoSys group, then it should have as least one InfoSec person, who does not belong to that group.
There is a tendency in InfoSys that makes the complete separation very urgent. We see that more and more InfoSys is managed based on a budget, not technical or organizational needs. The major criterion is money. The outcome is global outsourcing, which frequently results in inability to manage such outsourcing and technology. We’ve seen multiple examples when entire InfoSys has been outsourced to a services company leaving only a small group of managers to handle the budget and the relationship between the organization and the contractor. Within a couple of years this group has realized that they do not have people with expertise to understand where technically InfoSys should develop, possible solutions, etc. They got in the position blindly relying on the contractor and not knowing what should be the result. Extension of such practice to InfoSec is extremely dangerous regardless of what security services providers might tell you. You can be very easy out of control of your organization’s security depending only on what the provider says.
Our vision: InfoSec management should be completely organizationally independent from InfoSys management. Methods of InfoSys management are not aligned with InfoSec goals.
Why are we late?
Let’s discuss why InfoSec if frequently late in securing business assets. Basically, we are talking about the final result, not intermediate activities.
In our article [1] we discussed interesting case where it took 60 days to change 60 administrator blank passwords on government controlled enterprise network. It was a typical security situation where fast and easy fix was possible. However, it took 60 days instead of just a couple of days were system administrator to simply walk around the campus fixing passwords. Considering that all computers could be accessed by local personnel, it should not take more than just a couple of hours.
Another interesting case came from one of major US (as well as world) banks. New coming security consultant needed a PC on the local network with certain access to network shared drives. It took two months (!) to finally get all things settled. Computer alone took one (!) month to set up. We see here a magic number as two months is actually 60 or so days as in first case.
In both cases security and general InfoSys requests went through multi-level support structure. It is possibly does not matter which exactly hierarchy in each case was. Everyone tends to act and react slowly unless it is an extreme emergency case. So, our first example is a copycat of InfoSys request processing in InfoSec. We think that we should not explain the danger and consequences of having a blank password, and that such requests should be treated by InfoSec in completely different way.
Our vision: A copycat approach to management structure and methods, for instance service requests processing from InfoSys to InfoSec, endangers business assets. As per above, methods of InfoSys management are not aligned with InfoSec’s goals. When it comes to security issues, the time of slow multi-level response must come to an end.
Local or global focus
In the world of InfoSys, the blank administrator password does not affect any business functions, business connections, or company image. InfoSys generally does not care what happens outside of its local perimeter. And it does not even matter if it never gets fixed.
In the world of InfoSec, blank administrator password creates an obvious exposure of completely open computer and should be fixed as soon as possible. Compromised computers will definitely represent some danger to outside world as bots, sources of viruses, spamming, etc.
This is purely InfoSec’s concern.
Subsequently, we can draw the following conclusion:
- InfoSec considers local, and as well as global interests while InfoSys approach focuses almost solely on local business interests.
- The same issues that are not considered problematic from InfoSys’ point of view could potentially present far-reaching problems for InfoSec.
Our vision: Our world is interconnected. Our security dependencies are interconnected. The age of local thinking (InfoSys) should be coming to an end.
Jacks of All Trades: The System Administrator and the Security Analyst
Another aspect of Infosys influence on security matters comes through personnel management. Typical job requirements list for a system administrator contains a “laundry list” of operating systems, software, hardware, etc. We see very similar approach of ”laundry list” in InfoSec hiring. This identikit comes from management’s luck of understanding of InfoSec and its unique needs. If a system administrator is extremely busy working on his assigned projects and fails to complete 10% of the tasks, it is, in all likelihood, not a severe problem. In fact, majority of InfoSys administration tasks are not critical when it comes to a possible business impact. However, if we take the same approach to security tasks, 10% failure to complete is not acceptable. This is just like leaving your house when one in ten of its doors is wide open. 10% of misconfigured firewall or 10% of computers not having a security upgrade when new exploit is coming could have a heavy impact on the business. Security job cannot be judged by the same criteria as InfoSys job. Use of “laundry list” is inappropriate. Hiring should be focused on subject matter professionals in one or two major aspects important for the organization. If there is a need to cover more subjects, then another professional should be hired. When it comes to senior and leading positions, candidates should be, again, technically proficient in one or two areas (thus potentially capable of navigating through some other technical aspects) and certified by leading organizations like (ISC)2 to provide wide spectrum expertise.
Our vision: Hiring security professionals by InfoSys rules is, at the least, unwise. The InfoSec job is all about security and cannot be treated neither by quantity nor quality as just an extension of system administrator’s job function. Find a professional and educate to your needs.
Management’s Technical Expertise
While some level of technical expertise is expected from someone in a high-level InfoSys management position, the primary focus is business, not technical side. US government puts MBA with strong communication and administrative skills as major requirement for InfoSys Manager position. The Government’s intension to avoid hard technical work and get by just by moving papers and money around is understandable. Having MBA for this kind of job is definitely sufficient. However, InfoSec is a completely different story. Erroneous decision making based on the lack of technical expertise will have devastating consequences in security. Security Manager should be technically professional (see previous paragraph), well educated (MS or Ph.D.) and certified.
Our vision: Strong technical education and certification are required for InfoSec management. MBA is not desirable.
On par with the business management
There is very popular opinion that InfoSec should always seek a good relationship, support, and understanding from business management for its planned activity. Should the security of an organization, be it large or small, always depend on limited technical expertise and understanding of security matters of a business manager? This is especially troubling today where the complexity of both security systems and the threats they face can frequently be beyond the understanding of a manager with a very basic technical education covered in an MBA degree.
Today’s business can no longer divorce itself from or ignore security issues. Companies all over the world are connecting to the Internet in the normal course of doing business. Global economy is based on the global access to resources. If Internet is crippled, the global economy will suffer. While remaining largely insignificant from business management point of view, a security event can pose a real threat to the company’s livelihood and other businesses as well. Thus, business and security having different goals and means of activity, are tightly bound together, and basically cannot be separated from each other.
Our vision: The goals of business and security have become equally important. Security does serve business as business serves security. The dominance of business management basically acceptable in InfoSys leads to insecure decision making in InfoSec.
Conclusion
If we want our InfoSec to function, we need to forget about our currently prevalent InfoSys approach. Each InfoSec function should be carefully researched and weighed in light of its primary goal – to protect. It is no longer a business goal; it is instead a security goal. How do you decide how much to spend on the security of your company? Any amount justified by an expert opinion and thorough researched is not a waste if it goes toward building up your company’s security infrastructure and systems. A single InfoSec breach can incur hundreds of millions of losses, or in some cases, bring an entire company to its knees.
Business management must understand that the information environment has changed drastically as compared to what it was 20, or even 10 years ago. We have vastly improved capabilities for sharing and transferring information, but at the same time we now face a large variety of new threats. Today, it is not uncommon to see an old managerial structure fail to respond, sometimes with catastrophic results, to an ever-escalating number, complexity, and strength of cyber attacks.
This new information environment requires new managerial structures and solutions.
We once tried to discuss and still consider as valuable our idea of having two independent governing branches in each “good citizen” corporation. One branch is a traditional business management (Chief Executive Officer) and another one is security management – Chief Security Officer (CSO). This idea might be viable as US Government has three complementary branches, which, on a balance, work well together as evidenced by the history of our country. Responsibilities of CSO should be extended to include not just InfoSec, but Financial Security as well. We’ve seen a lot of financial misconduct in the last several years, and only appropriate corporate governing structure with independent CSO and overall audit functions can put a stop to this misconduct.
