CSO: the art of catching the board's ear

Being a propeller head might get you so far in security, but it will be a security leader's finesse, business nous and human touch that will ensure security programs succeed.

The success of a CSO and the enterprise’s security strategy depends on awareness at the C-level of not just the threats, but their implications, making communications and building alliances outside IT the key to a CSO’s success.

The battle to secure data has become a more vicious and dynamic beast today, according to Mike Rothman, CEO of analyst firm Securosis, who says attackers, including actors who may have “very deep pockets” that tilt the balance of power in their favour. Add these to the chaos of hacktivists, well-organised cybercriminals, social media and Cloud computing, and the challenges that CSOs face in protecting corporate data become clear.

The week in security: Flame shows hackers LinkedIn to dev tricks

Countdown: Net ‘crippled’ for 8k Aussies on July 9

On the other side, the enterprise must acquire the right mix of security skills, and according to Andre Fernando Da Silva, former security and risk manager at ANZ Bank, now managing principal consultant at Dimension Data, there are many approaches to breathing life into the right security strategy but achieving it requires tact, the ability to build alliances and patience.

“Until business leaders see what the business needs, they are likely to do only the minimum that sometimes only manages to get compliance but not necessarily security,” says Da Silva. “Communications and building alliances outside IT is the key to a CSO’s success.”

That may be true, but whether it’s an airline, insurance company, or bank, getting a security project off the ground depends crucially on a CSO’s ability to translate the impact of a threat. That means building a team who can coordinate a business case the board understands as well as developing multiple threads of support within the broader organisation.

Sarv Girn, former CTO and CISO at Commonwealth Bank of Australia and former CTO at Westpac, now consulting at Qantas, says the biggest challenge in security is getting highly technical securitypersonnel to explain in lay terms the threats and risks they are seeing.

“Following on from my period as the CTO for CBA, I was asked to become the CISO to drive a major security program. The biggest challenge as CISO was getting security professionals to share the issues in plain English and explain what is happening,” Girn tells CSO Australia.

“A lot of security people don’t like telling you because they feel that security needs to be very hush-hush. So, the biggest challenge is really getting people to explain to you the threat itself and what the impact would be if a security incident was to happen.

“As CTO, CIO and CISO, I make sure there are a handful of advocates outside of IT who are being informed of the threats and the risks the company faces and why we need to make these investments,” says Girn.

“You need your advocates, you need the fun training, and you need to explain things in your own language.” The team behind you will also define the success of your program, which means having a “mixture of skills which includes your hard core technical people,” says Girn.

“You can’t leave the technical guys out. You still need those people as well as the slightly less technical who probably didn’t come from security originally, but other IT people who can actually explain and engage the other people outside the team.”

Rothman agrees with Girn that failing to gain the support for an investment in security by the CIO or board often lies in the failure to explain — in human terms — the impact of an attack. This is often the case rather than using technical jargon, such as advanced persistent threat (APT) — a term popularised in security circles after RSA’s SecurID two-factor system breach last year, prior to its acquisition of NetWitness, which uses forensics and full packet capture technologies to detect threats.

“Specific threats have no meaning at the board level. It’s about the outcomes. If an outcome is a breach where an organisation would have to disclose to their customers, that will get senior level attention. Likewise, if there are audit deficiencies resulting in significant fines, that would get some attention too. But say ‘APT’ to a board member, they’ll have no idea what you are talking about,” says Rothman.

Girn says executives often ask whether it is safe to use Wi-Fi. A technically-minded person might say that 64-bit encryption is required, WPA is insufficient and that WPA2 with a hardened password is needed.

“To the average executive that doesn’t mean anything. It just scares them and tells them that they shouldn’t be using Wi-Fi, or worse still, they ignore what was said and use Wi-Fiin an unprotected manner.

“The right message from the security person should be that Wi-Fi can be set up securely for work. There is an older style of security on Wi-Fi, but make you sure you don’t use that. Makesure you use the newer one. If you use the older one, people can still break in and look at your personal files and use your bandwidth and download your personal files.

”Another example is why a strip shredder, as opposed to a crossshredder, won’t ‘cut the mustard’.

“Explain to the layman that they should be using a shredder that shreds in crosses and not inlines because lines can be put back together,” says Girn, stressing the importance of providing examples and story-telling so people can relate to the topic.

“This is where a lot of the security people tend not to give examples, but there are many examples of break-ins as they relate to the average consumer or home-user, so to a board or a CIO — especially a CIO — you need to explain this because if a CIO doesn’t understand, you, as a CISO, have no hope of getting any funding.”

3 Comments

Mark Hatton

1

While a company’s safety can depend on improving communication between the CEO and CISO, as this article says, our recent survey found that 36 percent of CEOs don’t deem it necessary to get IT security briefings. Check out our CORE Security blog post here for more findings: http://bit.ly/MAAnfy

Andre Fernando Da Silva

2

IT and Information Security Management practices have come a long way improving the way security is planned, assessed and managed, but still depends on people to communicate well to ensure organizations achieve best from it. That means, security professionals in all levels need to mature skills on how to communicate and set the tone which make sense for specific organizations. The IT/IS Security Business Case is a good place to start learning the language.

Organization culture plays a critical role and if you don't align well with it I would say you should keep investing in building internal relationships. Find the right people to help you selling the message. Use spies to tell you how best to communicate with senior manager. It is not an exact science and our job is to be creative and optimist keeping the focus you our success.

In my experience working with different industries and culture backgrounds, I have to say that there is no recipe that fit all organizations. I would recommend our community to be open mind and to listen from every organization we work with and be willing to adapt and change our practices to win the game.

Start assisting your organization or customer on enabling efficient communication between the board and directors. The Security Committee Charter must be in your priorities.

Andre

lyricsjfal

3

Lyrics can be tricky to find, but not anymore with http://www.lyrzoo.com
This easy to use Lyrics search engine contains extensive database of over 700000 song Lyrics.
You can seach <a href=www.lyrzoo.com> Lyrics </a> database by song or artist.
Make sure you share it online and perhaps contribute to the website with new Lyrics.

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

IT Compliance Solutions

Enforce compliance consistently and cost-effectively across your organization.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.