Overcoming stubborn execs for security sake

Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen.

Even with the greater awareness for strong security within organizations—and the high-profile hacks that have contributed to that increased awareness—security executives still encounter significant hurdles in doing their jobs to protect data and systems.

Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen.

Many of the conflicts that occur between security and business executives are due to ongoing philosophical differences regarding risk, says Dave Dalva, vice president at Stroz Friedberg, who has worked in the position of CISO for a number of clients.

“In my experience, the number one issue is cultural conflicts,” Dalva says. “Senior executives including the board of directors very often continue to see information security or risk management as an IT problem—or worse as a technology problem—as opposed to a business problem.”

Many business leaders don’t understand or acknowledge that they need to manage security risks the same way they manage financial risks, and give security the high priority and funding it warrants, Dalva says.

“Security, to some extent, is frequently at odds with senior leadership teams,” adds David Barton, CISO at security technology provider Websense. “Managing risk and protecting the brand are not always top of mind for executives, and rightly so, as they are focused on shareholder returns.”

David Barton, CISO at security technology provider Websense

The challenge for the CISO is to help senior executives understand that shareholder returns are directly tied to protecting the brand and managing the risk to the business, Barton says.

This means educating the CEO, CFO, other senior business leaders and the board about the true risks of insufficient security. “They need to realize it’s an enterprise risk problem,” not an IT problem, Dalva says. “Once they do, it’s much easier to establish and enforce policies and procedures that are appropriate for that organization.”

The high-profile hacks in recent months have certainly helped bring cyber security to the forefront, but more work is needed, Dalva says.

Other conflicts come from the age-old struggle between usability and security. “I’ve been involved in information security for nearly 30 years and I’ve seen this many times, where a senior executive sees security as an inconvenience,” Dalva says.

“When senior executives perceive that a security program will make their computing experience [more difficult], it’s often hard to overcome that perception,” Dalva says. “This perception makes the security executive’s job tough, and it makes it more challenging for security teams to address risk across the enterprise. However, the security team is still expected to keep the enterprise secure.”

One CISO who did not want to be identified relates that during a routine audit his team discovered that all accounts in the organization were compliant with its password policy except one—the CEO’s.

“I walked into his office and painted a picture of our compliance status and the potential of an adverse audit finding related to password compliance,” the CISO says. “My CEO was unhappy to learn of this potential and instructed me to notify the account holder and get the problem fixed. I explained the account in question was his and I needed him to change his password. He changed his password and never had the issue again.”

The tradeoffs between convenience and security are becoming less of an issue with many senior executives, as they’re now much more aware of the risks, says Jay Leek, CISO at The Blackstone Group, an investment firm. And people at the lower levels of the organization generally try to do what they have been asked when it comes to security.

Where the challenge now lies is with middle management, Leek says. Often these are the people under pressure to get projects completed quickly and efficiently, and they’re looking for shortcuts such as not using cumbersome passwords to wanting to have more access to data than they might actually need.

“Maybe they don’t have all these insights [about security risks] or they feel more empowered,” Leek says. “I see them taking more risks. We’ve done a good job educating middle management, so we don’t have that issue today.”

But that doesn’t mean Leek never gets challenged. “I’ve had to have some very tough discussions” about security policies. “While it’s uncomfortable and not the happiest times, I’ve been able to at least come out alive and not gotten fired.”

Security if done well should provide protection in a user-friendly way, Dalva says. For example, companies can deploy technology such as single sign-on instead of forcing users to have multiple passwords for various systems and applications.

“Security doesn’t have to be an impediment to getting things done,” Dalva says. “It can enhance productivity” at the same time as providing data protection.

Bring-your-own-device (BYOD) issues have created their share of conflicts between security and business executives.

“When the iPad first came out the first people who wanted to carry them around were the most senior executives. How do you secure this?” Leek says.

“Everyone was trying to figure out how they could get a device that wasn’t ready to deploy” securely, Leek says. “People want these cool new tools or devices like that,” without giving thought to the security issues.

Other sources of differences between security and business leaders have to do with budgets and personnel.

The CISO who didn’t want to be identified says in one budget cycle the company’s CFO made unilateral changes to the IT security budget and cut some items that were compliance and regulatory in nature.

“These budget items were defined and justified, but ultimately were an increase from the previous year so they were removed from the plan,” the CISO says. “After numerous meetings and explanations, I was able to get agreement to the increase in spending. Even with the proper justification, it is critical for CISOs to help educate the senior leadership on security trends, funding, regulatory issues, etc.” 

When it comes to the use of resources such as people and capital, CISOs and CSOs are competing with other business leaders who have different drivers and incentives, Barton says.

“It’s imperative for the CISO community to partner with those business leaders to help them understand the correlation between the spend on information security and how it enables the other business leaders to create, implement and deploy their initiatives in a secure fashion,” Barton says.

With the ongoing shortage of experienced security personnel at many organizations, disagreements over staffing issues are likely to be a continuing source of contention.

“Too many companies make [capital spending] an easy part and make significant investments in new technologies,” says Michael Cook, senior security consultant at GuidePoint Security. “But [they] fail to make the corresponding investments in people, and developing the associated processes to utilize the technology, whether it's monitoring, analysis, investigation, research or security program development.”

The result is that the capital investment is significantly under-utilized, Cook says. “Companies that are hamstrung in their compensation structure, can't get the appropriately qualified people, and end up either doing without adequate staffing, or hiring people who aren't quite appropriate for the role and needs of the security department.”

Cook has seen security directors go back and forth with human resources and compensation officers and get salary ranges increased once or twice, but still not to market level. Then they are told that nothing more can be done and they give up the fight.

“They end up working with what they have been given, and recruiting people in that compensation range,” Cook says. “I can't emphasize enough how this negatively impacts process, and the quest towards security maturity.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place