From the boardroom to operations – moving from infosec governance to practice

Ten years ago, security was a line item in most company IT strategies, if it was mentioned at all. But with the advent of mega-breaches in late 2013 through to nation state attacks such as the OPM breach a year ago IT security has leapt into the boardroom and C-suite.

That has meant a shift from point-solution based reactive operations to a more strategic view and a focus on governance, policy and process.

Michael Brown, Rear Admiral, United States Navy (Retired) is Vice President and General Manager of RSA’s Global Public Sector business.

He works closely with governments around the world and private sector companies. We spoke with him about the transition from governance and policy and how it is progressing in the public and private sectors.

“I do see a definite maturation between where the boards, C-suite and operators have been over the last several years to now.

Boards now understand that it’s not just about setting the policy but they need to understand the risks and equate the risks to the businesses they are in”.

Brown says C-suites are paying attention and providing a conduit between operational teams the boards. That means an increasing awareness that the security organisation needs to be connected with the rest of the business.

Different industry sectors are at different levels of maturity he says. Banks are at the high end with security awareness strong all the way from board to operators. There are some valuable lessons to be learned from this.

“I think it’s the combination of risk, regulation and, because they’ve been so visible as targets they realised they had to do something,” he says.

That’s being reflected in other sectors such as the energy and communications he says.

With many companies in the throes of dealing with shadow IT in its many forms, such as the use of personal devices at work and the ease with which cloud services can be procured, Brown says it’s critical that a culture of using technology securely is fostered.

That extends beyond the traditional company borders and throws the security posture of SaaS and other cloud-services under the spotlight.

“In more mature sectors there’s a realisation that end users can’t assume or abrogate accountability. As a business, we just can’t say we’re outsourcing an individual’s privacy,” Brown says.

When it comes to whether the private or public sector is moving faster when it comes to information security, Brown’s observations are that both sides of the coin are moving ahead.

“At least four of the Five Eyes, between the US, Canada, Australia and the UK have all updated their cybersecurity strategies based on lessons learned.

They’re throwing additional resources, changing decisions about roles and responsibilities in governance. That demonstrates a maturity”.

That doesn’t mean it’s all plain sailing. Brown notes there are still discussions about where the lines of responsibility fall between the government and private sector.

Read more: A10 Networks works with RSA Security to provide enhanced interoperable threat protection capabilities

There’s also a perception issue says Brown. Once policies and budgets have been fought for, refining policies and gaining incremental financial support becomes easier as the initial business case has been established.

As a result, there’s no big bang – the work becomes focussed on execution.

As for where the public and private sectors are in their information security maturity.

“Governments are much more focussed on ensuring the governance, policy and strategies are out there as they include the private sector as they include various responsibilities and authorities. But the private sector is moving very fast on the governance.

It is putting in place a risk based policy, tools and models such as cybersecurity frameworks that make it easier to put a governance model in place.”

As for execution, Brown is seeing both government and commercial entities trying to reduce the number of different tools they use and consolidate their infrastructure.

The past focus on installing point solutions to deal with specific threats is giving way to a more holistic approach.

“You can have as many tools as you want. But if you don’t have a strategy and idea of how to employ the capabilities it’s very difficult.

There’s a recognition that the old strategies of having those tools or relying on a strategy of sole prevention is the wrong strategy,” says Brown.

That means looking for tools that can integrate and support the use of analytics tools.

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.Start Survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags breachSaaScommunicationsC-Suiteregulationboardroomtargetscyber securityinfosecanalytic toolsrisksrsa securityIT strategiesmega-breachenergydata protectionOPM acknowledgedshadow IT

More about RSAVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts