CSO: the art of catching the board's ear
- — 18 June, 2012 11:53
The success of a CSO and the enterprise’s security strategy depends on awareness at the C-level of not just the threats, but their implications, making communications and building alliances outside IT the key to a CSO’s success.
The battle to secure data has become a more vicious and dynamic beast today, according to Mike Rothman, CEO of analyst firm Securosis, who says attackers, including actors who may have “very deep pockets” that tilt the balance of power in their favour. Add these to the chaos of hacktivists, well-organised cybercriminals, social media and Cloud computing, and the challenges that CSOs face in protecting corporate data become clear.
On the other side, the enterprise must acquire the right mix of security skills, and according to Andre Fernando Da Silva, former security and risk manager at ANZ Bank, now managing principal consultant at Dimension Data, there are many approaches to breathing life into the right security strategy but achieving it requires tact, the ability to build alliances and patience.
“Until business leaders see what the business needs, they are likely to do only the minimum that sometimes only manages to get compliance but not necessarily security,” says Da Silva. “Communications and building alliances outside IT is the key to a CSO’s success.”
That may be true, but whether it’s an airline, insurance company, or bank, getting a security project off the ground depends crucially on a CSO’s ability to translate the impact of a threat. That means building a team who can coordinate a business case the board understands as well as developing multiple threads of support within the broader organisation.
Sarv Girn, former CTO and CISO at Commonwealth Bank of Australia and former CTO at Westpac, now consulting at Qantas, says the biggest challenge in security is getting highly technical securitypersonnel to explain in lay terms the threats and risks they are seeing.
“Following on from my period as the CTO for CBA, I was asked to become the CISO to drive a major security program. The biggest challenge as CISO was getting security professionals to share the issues in plain English and explain what is happening,” Girn tells CSO Australia.
“A lot of security people don’t like telling you because they feel that security needs to be very hush-hush. So, the biggest challenge is really getting people to explain to you the threat itself and what the impact would be if a security incident was to happen.
“As CTO, CIO and CISO, I make sure there are a handful of advocates outside of IT who are being informed of the threats and the risks the company faces and why we need to make these investments,” says Girn.
“You need your advocates, you need the fun training, and you need to explain things in your own language.” The team behind you will also define the success of your program, which means having a “mixture of skills which includes your hard core technical people,” says Girn.
“You can’t leave the technical guys out. You still need those people as well as the slightly less technical who probably didn’t come from security originally, but other IT people who can actually explain and engage the other people outside the team.”
Rothman agrees with Girn that failing to gain the support for an investment in security by the CIO or board often lies in the failure to explain — in human terms — the impact of an attack. This is often the case rather than using technical jargon, such as advanced persistent threat (APT) — a term popularised in security circles after RSA’s SecurID two-factor system breach last year, prior to its acquisition of NetWitness, which uses forensics and full packet capture technologies to detect threats.
“Specific threats have no meaning at the board level. It’s about the outcomes. If an outcome is a breach where an organisation would have to disclose to their customers, that will get senior level attention. Likewise, if there are audit deficiencies resulting in significant fines, that would get some attention too. But say ‘APT’ to a board member, they’ll have no idea what you are talking about,” says Rothman.
Girn says executives often ask whether it is safe to use Wi-Fi. A technically-minded person might say that 64-bit encryption is required, WPA is insufficient and that WPA2 with a hardened password is needed.
“To the average executive that doesn’t mean anything. It just scares them and tells them that they shouldn’t be using Wi-Fi, or worse still, they ignore what was said and use Wi-Fiin an unprotected manner.
“The right message from the security person should be that Wi-Fi can be set up securely for work. There is an older style of security on Wi-Fi, but make you sure you don’t use that. Makesure you use the newer one. If you use the older one, people can still break in and look at your personal files and use your bandwidth and download your personal files.
”Another example is why a strip shredder, as opposed to a crossshredder, won’t ‘cut the mustard’.
“Explain to the layman that they should be using a shredder that shreds in crosses and not inlines because lines can be put back together,” says Girn, stressing the importance of providing examples and story-telling so people can relate to the topic.
“This is where a lot of the security people tend not to give examples, but there are many examples of break-ins as they relate to the average consumer or home-user, so to a board or a CIO — especially a CIO — you need to explain this because if a CIO doesn’t understand, you, as a CISO, have no hope of getting any funding.”