Sell security to individual executives, not entire boards: Dragonfly CISO
- — 21 June, 2013 09:46
Jamie Fisher, CISO at Dragonfly Technologies
Despite the growing profile of modern security threats, many Australian executives still suffer a “flagrant lack of understanding” of their risk profiles – and efforts by CSOs to educate them otherwise are often both fruitless and frustrating, a 22-year security industry veteran has claimed.
Jamie Fisher, CISO with IT-security consultancy Dragonfly Technologies, has worked both as a CSO and in his current role implementing security technologies. His most recent previous role was as general manager of information security with NBN Co, and he previously worked as global head of security with Verizon Business’ EMEA operations.
Speaking in a panel discussion at IBM’s recent Pulse service management conference, Fisher said his experience had shown that pushing IT security to a boardroom full of senior executives can be extremely difficult.
“There’s no use trying to drive security from a technology level right up to the board, because the board is just going to be confused,” he explained.
“It has been a hard sell to try to talk security to a broad spectrum of individuals around a table. It is much easier to have a one-to-one discussion with individual CSOs and executives about individual risks on the same business, and then trying to channel my efforts to help them get to where they want to be.”
In many companies, the process of risk remediation had been more complex because many companies still don’t recognise security at the executive level: “it was quite surprising to come to Australia and see that there are large-sized enterprises out there that do not have a CSO function,” Fisher, who previously served in a number of Europe-based roles, said.
Despite the relatively low level of awareness, selling security solutions into such environments has proved more effective when skipping “unethical and immoral” hard-sell discussions based mainly on fear, uncertainty, and doubt.
Rather, Fisher said, the key to getting executives to care more about security was to couch the discussion in terms of business risk.
“It’s about making security tradeoffs based on straightforward calculations,” he explained. “We as security professionals tend to analyse what has happened and what is that liability – but you don’t have to be in security at all to understand business risk. CEOs understand business risk day in and day out. They are incredibly risk averse, and they understand what goes to affect their bottom lines.”
Lachlan McGill, manager of information security and risk with ME Bank and another speaker on the panel, agreed, recalling the time when he joined the company and met its CEO for the first time.
“He got introduced to me and said ‘So, Lachlan, how secure are we?’,” McGill recalled. “At that level, that’s all they want to know: what’s the risk to the organisation from security.”
“It’s all well and good to say ‘we’re missing 10 critical security patches on this server’ – but how do you map that back to a business risk? Not many security practitioners are really good at that. But that’s the world that he’s in.”
McGill pointed out what he calls ‘the two minute rule’, referring to the length of time a CSO typically has to engage a senior executive before they start mentally moving on. “If you haven’t engaged them in those two minutes, they might be looking at you but they’re not listening to you,” he said.
“That’s why you have to map it back to risk and the business impact. When you go to sell security, don’t just say ‘this is the risk if we don’t do it’; be prepared to ask the questions like ‘what if we wait 12 months to do this?’ and so on. If you have all those scenarios mapped out beforehand, and all the risks for every scenario, you’ll find that you sell your message a lot better.”