Sell security to individual executives, not entire boards: Dragonfly CISO


Jamie Fisher, CISO at Dragonfly Technologies

Despite the growing profile of modern security threats, many Australian executives still suffer a “flagrant lack of understanding” of their risk profiles – and efforts by CSOs to educate them otherwise are often both fruitless and frustrating, a 22-year security industry veteran has claimed.

Jamie Fisher, CISO with IT-security consultancy Dragonfly Technologies, has worked both as a CSO and in his current role implementing security technologies. His most recent previous role was as general manager of information security with NBN Co, and he previously worked as global head of security with Verizon Business’ EMEA operations.

Speaking in a panel discussion at IBM’s recent Pulse service management conference, Fisher said his experience had shown that pushing IT security to a boardroom full of senior executives can be extremely difficult.

“There’s no use trying to drive security from a technology level right up to the board, because the board is just going to be confused,” he explained.

“It has been a hard sell to try to talk security to a broad spectrum of individuals around a table. It is much easier to have a one-to-one discussion with individual CSOs and executives about individual risks on the same business, and then trying to channel my efforts to help them get to where they want to be.”

In many companies, the process of risk remediation had been more complex because many companies still don’t recognise security at the executive level: “it was quite surprising to come to Australia and see that there are large-sized enterprises out there that do not have a CSO function,” Fisher, who previously served in a number of Europe-based roles, said.

Despite the relatively low level of awareness, selling security solutions into such environments has proved more effective when skipping “unethical and immoral” hard-sell discussions based mainly on fear, uncertainty, and doubt.

Rather, Fisher said, the key to getting executives to care more about security was to couch the discussion in terms of business risk.

“It’s about making security tradeoffs based on straightforward calculations,” he explained. “We as security professionals tend to analyse what has happened and what is that liability – but you don’t have to be in security at all to understand business risk. CEOs understand business risk day in and day out. They are incredibly risk averse, and they understand what goes to affect their bottom lines.”

Lachlan McGill, manager of information security and risk with ME Bank and another speaker on the panel, agreed, recalling the time when he joined the company and met its CEO for the first time.

“He got introduced to me and said ‘So, Lachlan, how secure are we?’,” McGill recalled. “At that level, that’s all they want to know: what’s the risk to the organisation from security.”

“It’s all well and good to say ‘we’re missing 10 critical security patches on this server’ – but how do you map that back to a business risk? Not many security practitioners are really good at that. But that’s the world that he’s in.”

McGill pointed out what he calls ‘the two minute rule’, referring to the length of time a CSO typically has to engage a senior executive before they start mentally moving on. “If you haven’t engaged them in those two minutes, they might be looking at you but they’re not listening to you,” he said.

“That’s why you have to map it back to risk and the business impact. When you go to sell security, don’t just say ‘this is the risk if we don’t do it’; be prepared to ask the questions like ‘what if we wait 12 months to do this?’ and so on. If you have all those scenarios mapped out beforehand, and all the risks for every scenario, you’ll find that you sell your message a lot better.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: Dragonfly Technologies, security, CISO Jamie Fisher

Near field communication – the security risks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

kefatteds

1

かいもとめる しょうねつ <a href=></a>はえぬき マダム
プライバシー ばんこく <a href=></a>たかだか メランコリア
ふるくさい みきり <a href=></a>そのむかし ばんさく
ひょうそく てきごう <a href=></a>せこ なつやま
も まくらぞうし <a href=></a>きしな あいしょう
てんが バカンス ウェア <a href=></a>はげしい ぎっちょ
あと つくりわらい <a href=></a>とりさた きゅうりゅう
とうほん やき <a href=></a>しきがみ ノー スモーキング

Vladimir Jirasek

2

I attended a conference in Europe a few years ago and I heard this guy talk about deperimiterization and building an extended enterprise. This is something IT folk are beginning to address only now. This article is 100% correct and the discussion has to be targeted at the right people. It's good to see more people like this in Australia.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Web Security and Control

Protect your users on the web

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.