New Rules for the New CISO
- Covet customer and shareholder value
- Think like a CFO
- Quantify everything
- Present a diversified risk portfolio
- Follow the risk leader
- Initiate an organizational makeover
C-suite executives are feeling the squeeze of tighter margins, limited operating budgets and "those damn regulations--they're killing me."
If you're a CISO, you're feeling the squeeze, too.
Despite the fact that security threats have never been greater, several mega-financial institutions have downgraded, changed or even eliminated the CISO post. Why?
CISOs are on the bubble because business, financial, operations and IT executives pile security, privacy and compliance demands on their shoulders. But these executives don't understand infosecurity's value and are frustrated by the lack of quantifiable risk metrics.
The demand for effective risk management is converging with other factors that could put the CISO role on the endangered species list. If you're going to survive and thrive in this new environment, you'll have to grasp what the successful security manager brings to the corporate table. Here are 10 keys to success.
Shed the old you
Historically, your career has been mired in IT and data management, systems and networking security. You identify exposure, and select and deploy security solutions. That's how you've provided value. You build the walls and guard the gates.
All of a sudden, that role has become a commodity like everything else in the market. All the things you once did--AV, firewall, IDS, password policy, patch and configuration management--have migrated to IT.
Until now, you highlighted a need and management gave you resources to respond. But that's not good enough anymore. There's no point in shouting, "Exposure, exposure, exposure," when management is "whack, whack, whacking" the budget.
Your mission now goes well beyond mitigating exposure--it's to enhance shareholder value by protecting your company's market share, revenue and brand. To win management support for security, you've got to demonstrate how you've prioritized, modeled and priced risk. As each new project springs up--call center relocation overseas, online payment systems, wireless infrastructure--you'll need to identify, analyze and evaluate the risks, measure the costs of securing the services with real numbers and present viable options. This information will help your purchasing managers decide how to allocate resources and will prove your value to the company.
Think like a CFO
Now that you've determined your value, think about how a CFO defines value. He thinks of the balance sheets, income statements and revenue streams; he thinks about liquidity and anything that could jeopardize liquidity. As the security manager, you need to adopt this methodology and look at the relationship between risk exposures and the value of company assets, revenue and liquidity.
Focus on what's vital to your company
Listen to what your CEO is saying. If you're repeatedly hearing about the importance of protecting market share of the company's flagship product, that's your chief priority. Quickly learn if the responsible managers are more interested in reducing the cost of managing risk or mitigating exposure. Then, play to their hot button.
Look at the big picture
As corporate security manager, you're in a unique position to assess and deal with the big picture, and to see the greatest risks.
Suppose management says trading is the most important activity. To you, this should mean that virus recovery in that area is a lot more important than in less critical parts of the organization. If 90 percent of your traders are located in one building, the risk is magnified. If all your divisions rely on a shared or managed IT service that's highly concentrated, your entire business hinges on its security.
You can provide a high-level perspective of the organization's interdependencies and areas of concentration that divisional folks don't have. The specialists in the IT pockets--the database management group or systems infrastructure and network ops--don't have access to all the pieces. They will value your opinion.
Learn who has the clout
Look at your company's risk professionals: a CSO/risk manager, a head of compliance, corporate legal counsel, etc.
The power base is with the chief risk officer (CRO). You know the CRO has authority and a structured way of managing risk. You must plug into that and apply the proper industry-accepted methodologies.
For instance, if the CRO says, "My priority is increasing premiums and reducing insurance coverage," this means that the company isn't paying the increased premium (which translates into greater exposure) and that the company must be more aggressive in its loss control and loss prevention programs. So, when the CRO says to you, "You guys are dealing with IT security problems and you want millions of dollars to solve them. What's your rationale?" you can make your case based on what it will take to control and reduce those costs based on the data you've collected on operational loss.
Advance a risk management strategy
As the corporate security advisor, it's up to you to establish priorities and implement effective risk management of exposures.
To execute on this, you'll need to:
- Identify, analyze and evaluate technology risk.
- Measure the risk quantitatively and qualitatively.
- Price out solutions, so the risk management group can advise the business on the best risk solution portfolio.
You may think you're already doing this, but think again. For example, one organization claimed that $3 billion was at risk if its cash management system was compromised. But, it had only taken the first step in the process--identification--via war games, pen testing and Delphi techniques. The truth is the company thought it knew how much was at risk, but was only at a starting point in identifying the value of the exposed asset and possible threats that could compromise it.
That organization--and yours--should take the next steps, conducting further analysis and evaluation of the security objectives and the threat to the value/supply chain. An analysis of risk prevention solutions should be reviewed and priced out (e.g., operational process changes such as stand-alone, secure, isolated machines; technical solutions such as two-factor authentication; and/or business process change, such as outsourcing).
If your process is incomplete, it's a good bet you're going to recommend an inappropriate response; your company will either allocate resources that are disproportionate to the risk or won't go for your pitch at all. In both cases, the response and the process are flawed.
Measure, measure, measure
An executive at a major financial institution says that 10 to 20 percent of his $45 billion operating budget is allocated to operational risk activities. "It's possible that the actual percentage is double that amount, but we don't have a good process for measuring the actual costs," he says. This company has tremendous incentive to find a good metric since there's a huge potential for savings.
Through measurements--financial, emotional, ethereal--you can assign value to assets you deem important. As a security manager, you need to measure the total potential cost of risk--including recovery, lost productivity and damage to the company's reputation--and recommend the appropriate security strategies. In the absence of hard data, you can use qualitative analysis, such as scenario modeling.
The frequency of security events can work in your favor. You can develop actuarial models using the current number of viruses and compromises, which are sufficient to compile some business intelligence. If you don't have the numbers, chances are someone in your organization does--probably other risk managers. If not, look outside the organization. Brokers, for example, have a wealth of information on significant events because losses have to be reported.
Implement a portfolio strategy
By definition, prudent risk management requires diversification of control resources. Security and operational risk management are no different.
As a CISO, you should recommend a risk portfolio strategy that offers a wide range of options, including mitigation, insurance, expensing and captives (self-insurance, separate from the company).
But you can't do it alone. To achieve a balanced portfolio of risk prevention and financing options, you must work closely with corporate risk management (risk transfer, primarily insurance), corporate security and business continuity officers (risk prevention), audit and finance (risk measurement and expense) and legal (contractual transfer of risk).
Here's how it works: You evaluate and measure risk, determining the impact based on the things your CFO holds near and dear--revenue, balance sheet, liquidity. Then, you offer--and price--alternatives. Say your solution will cost $1 million, but you doubt you can get more than $100,000 budgeted. This is where a portfolio is developed. One member of the group has some insurance money to cover a portion of the risk, another has some reserves. Before you know it, collectively the members of the risk pool are contributing enough money and resources to cover the exposure.
As the CISO's role moves from exposure mitigation to broader risk management, the security organization must change as well. Operations, from AV to identity management, should move into IT, and risk management--data capture, analysis, and modeling--should take precedence
Focus your organization
If you're going to deliver the data, analysis and modeling that your new role requires, you're not the only one that has to change. Your organization may need to realign departments--and that might require some radical thinking.
Security roles and responsibilities that have become mainstays--such as operations, policy creation and enforcement--should be considered for migration and delegation networking.
You may have to retool your organization's skill set to support more analytical thinking and promote a greater awareness of operational risk management. Gauge the level of expertise and what kind of modeling capability the organization has so you can budget for the kind of technically savvy people you'll need.
Shifting and adding resources is never quick. Plan on phasing in new resources over several years, in accordance with the change demands to disperse the cost.
What if your organization doesn't have a mature risk management culture? The overwhelmed two-person legal staff moves from problem to problem in crisis mode. The risk management group is one insurance manager who's clueless about the broader concept of risk management. Management is spending millions on auditors who hammer away at Sarbanes-Oxley compliance.
Then there's you. If you're going to make a difference as a security manager in this environment, you have a day job and a night job.
The night job is strategic: getting this community of disjointed disciplines, roles and expertise to work together in small ways.
The day job is to prioritize what's most important to the business and apply the appropriate security. Choose what generates the most revenue, or what the company has on its radar for the next five years. You need to secure that piece of the corporate world, working through the risk management model and working closely with the appropriate business unit managers.
Be nimble. Step into this new role while keeping a foot in the old. Delegate the technical responsibilities--infrastructure support, network support--while still providing guidance and oversight. Develop a strategy for an overall architecture. You may not be able to execute yet, but know where you want to go.
About the author:
Gary S. Lynch is president of Xeno, a management consulting firm. He's a former partner with Booz Allen Hamilton, an executive responsible for managing information security and business continuity risk management at Prudential Financial and Chase Manhattan Bank, and a research director at Gartner Group.