CSO: the art of catching the board's ear

Being a propeller head might get you so far in security, but it will be a security leader's finesse, business nous and human touch that will ensure security programs succeed.

The success of a CSO and the enterprise’s security strategy depends on awareness at the C-level of not just the threats, but their implications, making communications and building alliances outside IT the key to a CSO’s success.

The battle to secure data has become a more vicious and dynamic beast today, according to Mike Rothman, CEO of analyst firm Securosis, who says attackers, including actors who may have “very deep pockets” that tilt the balance of power in their favour. Add these to the chaos of hacktivists, well-organised cybercriminals, social media and Cloud computing, and the challenges that CSOs face in protecting corporate data become clear.

The week in security: Flame shows hackers LinkedIn to dev tricks

Countdown: Net ‘crippled’ for 8k Aussies on July 9

On the other side, the enterprise must acquire the right mix of security skills, and according to Andre Fernando Da Silva, former security and risk manager at ANZ Bank, now managing principal consultant at Dimension Data, there are many approaches to breathing life into the right security strategy but achieving it requires tact, the ability to build alliances and patience.

“Until business leaders see what the business needs, they are likely to do only the minimum that sometimes only manages to get compliance but not necessarily security,” says Da Silva. “Communications and building alliances outside IT is the key to a CSO’s success.”

That may be true, but whether it’s an airline, insurance company, or bank, getting a security project off the ground depends crucially on a CSO’s ability to translate the impact of a threat. That means building a team who can coordinate a business case the board understands as well as developing multiple threads of support within the broader organisation.

Sarv Girn, former CTO and CISO at Commonwealth Bank of Australia and former CTO at Westpac, now consulting at Qantas, says the biggest challenge in security is getting highly technical securitypersonnel to explain in lay terms the threats and risks they are seeing.

“Following on from my period as the CTO for CBA, I was asked to become the CISO to drive a major security program. The biggest challenge as CISO was getting security professionals to share the issues in plain English and explain what is happening,” Girn tells CSO Australia.

“A lot of security people don’t like telling you because they feel that security needs to be very hush-hush. So, the biggest challenge is really getting people to explain to you the threat itself and what the impact would be if a security incident was to happen.

“As CTO, CIO and CISO, I make sure there are a handful of advocates outside of IT who are being informed of the threats and the risks the company faces and why we need to make these investments,” says Girn.

“You need your advocates, you need the fun training, and you need to explain things in your own language.” The team behind you will also define the success of your program, which means having a “mixture of skills which includes your hard core technical people,” says Girn.

“You can’t leave the technical guys out. You still need those people as well as the slightly less technical who probably didn’t come from security originally, but other IT people who can actually explain and engage the other people outside the team.”

Rothman agrees with Girn that failing to gain the support for an investment in security by the CIO or board often lies in the failure to explain — in human terms — the impact of an attack. This is often the case rather than using technical jargon, such as advanced persistent threat (APT) — a term popularised in security circles after RSA’s SecurID two-factor system breach last year, prior to its acquisition of NetWitness, which uses forensics and full packet capture technologies to detect threats.

“Specific threats have no meaning at the board level. It’s about the outcomes. If an outcome is a breach where an organisation would have to disclose to their customers, that will get senior level attention. Likewise, if there are audit deficiencies resulting in significant fines, that would get some attention too. But say ‘APT’ to a board member, they’ll have no idea what you are talking about,” says Rothman.

Girn says executives often ask whether it is safe to use Wi-Fi. A technically-minded person might say that 64-bit encryption is required, WPA is insufficient and that WPA2 with a hardened password is needed.

“To the average executive that doesn’t mean anything. It just scares them and tells them that they shouldn’t be using Wi-Fi, or worse still, they ignore what was said and use Wi-Fiin an unprotected manner.

“The right message from the security person should be that Wi-Fi can be set up securely for work. There is an older style of security on Wi-Fi, but make you sure you don’t use that. Makesure you use the newer one. If you use the older one, people can still break in and look at your personal files and use your bandwidth and download your personal files.

”Another example is why a strip shredder, as opposed to a crossshredder, won’t ‘cut the mustard’.

“Explain to the layman that they should be using a shredder that shreds in crosses and not inlines because lines can be put back together,” says Girn, stressing the importance of providing examples and story-telling so people can relate to the topic.

“This is where a lot of the security people tend not to give examples, but there are many examples of break-ins as they relate to the average consumer or home-user, so to a board or a CIO — especially a CIO — you need to explain this because if a CIO doesn’t understand, you, as a CISO, have no hope of getting any funding.”

Join the CSO newsletter!

Error: Please check your email address.

More about ANZ Banking GroupAPTCommonwealth Bank of AustraliaCommonwealth Bank of AustraliaDimension DataDLPGartnerGoogleISOLPMicrosoftNFCQantasRSASANS InstituteTrustwaveWestpacWestpacYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts