Sell security to individual executives, not entire boards: Dragonfly CISO

Jamie Fisher, CISO at Dragonfly Technologies

Despite the growing profile of modern security threats, many Australian executives still suffer a “flagrant lack of understanding” of their risk profiles – and efforts by CSOs to educate them otherwise are often both fruitless and frustrating, a 22-year security industry veteran has claimed.

Jamie Fisher, CISO with IT-security consultancy Dragonfly Technologies, has worked both as a CSO and in his current role implementing security technologies. His most recent previous role was as general manager of information security with NBN Co, and he previously worked as global head of security with Verizon Business’ EMEA operations.

Speaking in a panel discussion at IBM’s recent Pulse service management conference, Fisher said his experience had shown that pushing IT security to a boardroom full of senior executives can be extremely difficult.

“There’s no use trying to drive security from a technology level right up to the board, because the board is just going to be confused,” he explained.

“It has been a hard sell to try to talk security to a broad spectrum of individuals around a table. It is much easier to have a one-to-one discussion with individual CSOs and executives about individual risks on the same business, and then trying to channel my efforts to help them get to where they want to be.”

In many companies, the process of risk remediation had been more complex because many companies still don’t recognise security at the executive level: “it was quite surprising to come to Australia and see that there are large-sized enterprises out there that do not have a CSO function,” Fisher, who previously served in a number of Europe-based roles, said.

Despite the relatively low level of awareness, selling security solutions into such environments has proved more effective when skipping “unethical and immoral” hard-sell discussions based mainly on fear, uncertainty, and doubt.

Rather, Fisher said, the key to getting executives to care more about security was to couch the discussion in terms of business risk.

“It’s about making security tradeoffs based on straightforward calculations,” he explained. “We as security professionals tend to analyse what has happened and what is that liability – but you don’t have to be in security at all to understand business risk. CEOs understand business risk day in and day out. They are incredibly risk averse, and they understand what goes to affect their bottom lines.”

Lachlan McGill, manager of information security and risk with ME Bank and another speaker on the panel, agreed, recalling the time when he joined the company and met its CEO for the first time.

“He got introduced to me and said ‘So, Lachlan, how secure are we?’,” McGill recalled. “At that level, that’s all they want to know: what’s the risk to the organisation from security.”

“It’s all well and good to say ‘we’re missing 10 critical security patches on this server’ – but how do you map that back to a business risk? Not many security practitioners are really good at that. But that’s the world that he’s in.”

McGill pointed out what he calls ‘the two minute rule’, referring to the length of time a CSO typically has to engage a senior executive before they start mentally moving on. “If you haven’t engaged them in those two minutes, they might be looking at you but they’re not listening to you,” he said.

“That’s why you have to map it back to risk and the business impact. When you go to sell security, don’t just say ‘this is the risk if we don’t do it’; be prepared to ask the questions like ‘what if we wait 12 months to do this?’ and so on. If you have all those scenarios mapped out beforehand, and all the risks for every scenario, you’ll find that you sell your message a lot better.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dragonfly TechnologiessecurityCISO Jamie Fisher

More about CSODragonflyIBM AustraliaVerizonVerizonVerizon Business

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place