Thornton May talks in CAPITAL LETTERS. The longtime IT consultant and observer (and sometime vendor executive) is given to extreme phrases and inflammatory ideas, all expressed with maximum excitement. May aims some of his most vitriolic opinions straight at the security community, which he says has misbranded and miscommunicated itself into organisational irrelevancy. His solution: a "geek-to-suit messaging architecture" to help information security pros connect with corporate leadership. May discussed the successful branding of security with CSO (US) Executive Editor Derek Slater.
CSO: What got you going on geek-to-suit messaging? Thornton May: I've spent the past 17 years watching CIOs slam into the brick wall. I think technology's been misbranded. Brands make things easier [to understand]. Brands are a promise. Brands embody trust, basically. Right now, if you look at what's happening in the IT world, there is a total lack of trust. And we're moving to a totally customer-driven world, where the customers are very brand aware and brand savvy.
With regard to the security area, in my days with [managed security services provider] Guardent, I did a giant job — basically an analysis and assessment of what was going on, securitywise, for a major client. And its [security] guys made CIOs look eloquent. If you look at the IT message ecosystem — what messages are being sent, who are they being sent by, what form are they being sent in, who are they being sent to and the ultimate impact of their receipt — there is so much wasted effort. [The messaging] is not designed to produce an efficacious impact. That is the real challenge for CSOs right now: Their message is so totally uncompelling.
Given the world we live in today, how can that be? Exactly! How can security be uncompelling in a world that is screaming for it? These [CSO] guys couldn't sell water to a man on fire. They are gifted, gifted nonbranders! The reason is that they never got the idea that 80 per cent is good enough. If I have to go to one more conference where everybody gets up and throws themselves on the cross of, "You will never be totally secure . . . ." OK, then, how secure are we? "Uh . . . I can't tell you." OK, well then I'll just sit here and do [absolutely] nothing! Because that's what you're doing for me. The security guys offer no path, no promise.
What about the hypothesis that they are so completely earnest as to be incapable of BS? No, I don't even think that's it. That's putting it in a cloak of nobility. I think they're so into their cult, their own Kool-Aid, that [they say,] "I'm the only person who knows how bad it is." The way organisms survive in a high-stress world is they collaborate and work together. Security people do not collaborate and do not work together. I don't see them rolling up their sleeves and saying, Let's solve this problem together.
We certainly have seen repeatedly the amazing rift and dislike between the infosecurity guys and the corporate security guys. There's been no attempt to make them play nicely together, culturally. Basically, the Mensa guy walks in and calls corporate security the "dog-and-gun guys." And those guys call the computer guys "the geeks." They're not on the same page. They're not playing on the same team. Their social networks have never been brought together.
What's your solution? Is it a set of processes for translating the "geek" message into something that the CEO can understand? The secret is that there is no geek message. There can't be. I went to a major event sponsored by McKinsey, with the top guys at Shell. The McKinsey guy keeps saying, "You've got to get IT aligned with the business." And the chairman of Shell says, "Son, I don't think you understand. At Shell, there is no such thing as an IT project. There are business projects that have IT stuff in them." There's no such thing as a security project. Right now, security is not a feature in anybody's product or service. It could be a critical differentiator — the new secret ingredient. That's why branding is so important.
Have you seen anyone do it right? Does anybody get the concept? Not really. At American Express they're getting there, the whole Blue thing. ["Blue" is an AmEx credit card brand with embedded smart-chip technology for enhanced security in online shopping.] Security was part of that brand, but right now people are puckered up with regard to cost savings. And then security guys label themselves by saying, "This is going to cost you a lot of money, but you have to do it." And CEOs just respond, "I don't have to do it."
Are you telling me that companies can't do something with security that makes them money? That security doesn't touch any of your customers? We haven't embedded security behaviors or thinking or functionality in the value stream. We're selling negatives, not positives.
So if you were to create a CSO training film, with the proper use of messaging and branding, how would the scenario go? I would show you people who are building online relationships with their customers; and why do they choose you? One of the reasons is that you're secure and you have the easiest-to-use security . . . . How do you raise awareness that there are differentiated levels of security? I think the financial services [companies] have taken the wrong tack. The banks [should, but don't] compete against each other vis-à-vis "I'm more secure than the other guy."
Part of the problem seems to be messaging between geeks and their internal customers. That is actually a simpler message. Security people don't listen. Great communication requires listening. Security people are always in broadcast mode, never in receive mode, because they are telling you what to do. At American Express, for all its major IT projects going forward, [CIO Glen Salow] and his senior staff basically go through a two-to-three-day risk review exercise. They analyse those projects on 50 dimensions of IS risk and business risk and give them a rating [which] they compare against a database of 7000 previous projects. Projects don't go [forward] unless they're secure.
So what security people need to do is . . . . Well, they're [often] not even at the table when you're designing a project. (Actually, that's not too much of a problem right now because there are no new projects!) But the whole idea of a CSO is intriguing because, well, what is the role of the CSO versus that of the CIO? Is the CSO responsible for all the secure systems in the enterprise, whereas the CIO is in charge of the insecure systems?
Your great opportunity [with this magazine] is that there may be an identity crisis for CSOs right now because they haven't made enterprises more secure. What they've done is, they've centralised blame.
Maybe that's true. We've seen a lot of firings. Yeah, they're really going after these guys because they're not happy with them . . . . If you're not liked and you don't have a power base, how are you going to win? It's Machiavellian, but if [the suits] don't like you, you cost them money, and they're just paying lip service to you, what's your future?
I think the evolutionary path of the CIO is very relevant. It has significant lessons to teach us about the evolution of the CSO. Looking back, where did the initial CIOs' ideas come from? A lot of them came from the vendors, from the technical community. And I would say that analogy [has merit] right now. A lot of CSOs are [in the role] because they're championing some kind of technology. Among the first things CIOs did was append technology to existing business processes. We are now appending security to existing IT processes. That process is exothermic as opposed to endothermic; it consumes energy instead of releasing energy. In an energy-saving environment, that's a problem. Ultimately, people saw that business runs better with IT [embedded in it]. And we've got to get to the point of seeing that IT processes work better when you have security embedded in them.
It's going to be very difficult to get through that right now because we're in this terrible budget squeeze. But we need to answer the question: How do I actually make money with security?
So the geek-to-suit messaging architecture is that the geek has to change the message, communicate in business terms and embed security in every business project? You asked the question the right way up front. In a world that is so security aware, how is it that security people aren't getting any traction? I think it may be that we're trying to do the wrong things, and we're definitely delivering the wrong messages.
It took a long time for CIOs to get the hang of geek-to-suit messaging . . . And they still aren't there!
Which suggests this could be a long and difficult process for security. It could be. But security is like penicillin: It's so powerful and so authentic. [The problem is] the accessibility of the message. We need a security Sputnik to happen. Eisenhower used Sputnik brilliantly to say, "We need to upgrade our math and science skills." I think today we need to upgrade our basic technology literacy.
A few people are doing this well, such as [vice president and corporate security officer] Dennis Devlin at [information service provider] Thomson. In these holding companies, they run a pretty tight ship. For something like 44,000 employees, there's a total headquarters staff of, I think, 80 people; and the IT group is like 15 people. So Dennis actually has a chance to get the message through because he's one of only 15 — versus people with herds and herds.
What do you recommend for those in gigantic organisational blobs? Pick their targets, work on key relationships, one at a time? I like that idea. It's almost a counterinsurgency thing. You've gotta choose and infiltrate the social networks of the organisation. Now, there's no basis for trust.
In the earliest issues of our sister publication, CIO, we ran stories advising readers to do things like play golf. Get out and shmooze. Should CSOs heed that advice as well? Shmoozing is not a relationship, it's not trust. The thing that's nice about golf is it puts you in a shared space with someone. But putting people who detest each other in a shared space isn't going to make the problem go away. You've got to create an opportunity for shared spaces where they can figure out you're not a bad person, and you can create a way of working together.
So, you get in the shared space. But then you have to demonstrate that you're there to listen, not simply to pontificate. Right. Because [the CSO's] agenda isn't going to win. The chairman is not going to go to bat for the security person. The entire suit population is very political; they've got agendas. What the security person should do is get inside those agendas and help make them successful.
It's not really geek-to-suit translation; it's suit-to-geek translation, [with the suit saying]: "This is what I'm trying to do. What have you got for me?"