Regulatory compliance requirements and concerns over data compromises have elevated the importance of information security issues in corporate boardrooms, according to panelists at the 32nd annual conference organized by the Computer Security Institute. And that trend is lending urgency to the need for security managers to adopt a more business-oriented approach to their jobs.
Selling security to management has become easier because of issues such as privacy threats and data piracy, said Terri Curran director of information security at Bose. "In a sense the road has been paved more for us" by such issues, she said. "Management knows they've got to have security."
The problem is that security managers often tend to understand technology issues better than they understand risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance in Ohio. As a result there often is a misalignment with business goals, he said.
"Perfect security is not achievable," Jones said. "At the end of the day, [the security function] is about managing the frequency and magnitude of loss."
Being able to do that requires security managers to do a better job of taking technology issues and putting them in a business context, he said. "That's a significant problem for us," he said. "As long as we have a misalignment between the two, we have a challenge."
Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity, said Jane Scott-Norris, CISO at the U.S. State Department. That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms," Scott-Norris said.
To be successful, CISOs need to have a combination of technology skills and business savvy, said Bill Hancock, vice president of global security solutions at Savvis Communications. "If you don't know how to communicate well, you will fail as a CISO," he said.
Jennifer Bayuk, CISO at New York-based Bear, Stearns & Co., said that it's also important for security managers to be able to demonstrate the value they bring to an organization -- especially because security is often seen as a cost center offering little return on investment.
"If you can't demonstrate what you are doing, it doesn't count," she said. As a result, there is a need for security managers to be able to put auditable security practices in place, she said.
Looking ahead, Bayuk predicted that CISOs will have two distinct career paths: one will be technology-focused and will involve reporting to the CIO; the other will be more business-focused and will involve dealing with chief risk officers or executives with that kind of responsibility.