Succeeding in a pressure-filled world of auditors and cyberthreats requires skills in business, technology, people and more.
With a load of regulatory requirements, auditor scrutiny and evolving cyberthreats, it's a pressure cooker for an information security executive these days. How's a security manager supposed to survive, let alone succeed, in the enterprise?
A big part of the answer has become a CISO mantra: Technology skills aren't enough; a security professional also needs business know-how. A successful one understands how the business works and can speak in terms the C-suite comprehends.
"We're there to facilitate the business, not hinder it. In order to do that, you have to be able to pull your head out of the ones and zeros and speak intelligently to people who don't understand the ones and zeros," says Dave Lewis, senior information security officer at the Independent Electricity System Operator (IESO) in Ontario, Canada.
Some security professionals are so focused on blocking attacks that they overlook how a threat affects their particular business, he says: "You have to understand what your business does and the risks involved for your business."
The ability to translate security threats to business risks is critical for getting a seat at the executive table, says Tim McKnight, vice president and CISO at defense contractor Northrop Grumman. And when you get time with the C-suite or the board, use your time wisely, advises Gene Fredriksen, principal consultant at Burton Group and former CSO at Raymond James Financial.
"You don't want to bring FUD.... You're never going to get more with those people than a few minutes at a time," he says.
Rather than virus statistics, talk about how security can help cut costs, reduce risk, improve compliance or enhance time-to-market. For example, if your organization grows primarily through M&A activities, talk about how security systems can help, Fredriksen says.
Along with business-speak, security executives need strong leadership and communication skills, and should focus on developing their employees' talents, says McKnight.
"If you don't have the best talent around you, you're not going to succeed," he says.
| Lost in Translation
There's a lot of jargon in security that can turn off business executives. Here are some common terms translated into plain English.
A group of compromised computers used without their owners' knowledge by Internet criminals to send spam, viruses, or launch DDoS attacks.
Distributed Denial of Service. Online attackers use multiple compromised computers to send a flood of messages to a target system such as an e-commerce site, forcing it to shut down, preventing legitimate users from accessing the site.
Demilitarized zone. A subnetwork between a company's private network and the outside public network, where organizations often place their Web servers.
An attack on a computer system that takes advantage of a vulnerability on the system.
Host Intrusion Detection Systems/Network Intrusion Detection Systems. HIDS are installed on individual computers to detect attacks. NIDS monitor network traffic for potential attacks.
Testing the security of a system or network by trying to break its controls and gain access.
An attacker sends a series of messages to a computer to figure out which network services it has in order to probe those services for vulnerabilities. Each service is associated with a port number.
A collection of programs that provides administrator-level access to a computer. An attacker that breaks through the user-access controls of a computer can install a rootkit, which can hide the intrusion and provide privileged access.
Less skilled hacker; typically uses existing programs and scripts to launch attacks.
Fraudulent email that targets a specific organization and aims to fool the recipient into divulging confidential data. Generally, the message will appear to come from someone within the recipient's company, such as an IT administrator.
A computer program that appears harmless but contains malicious code.
An exploit that takes advantage of a vulnerability that isn't generally known until the exploit surfaces; consequently no patch is available.
In fact, more than technical aptitude, future CISOs will need people skills, says Khalid Kark, senior analyst at Forrester Research. That's because they need to get buy-in at the executive level, and also need to educate and train end users about security threats and secure practices.
"CISOs will not be technology experts, they will be more people experts if they want to succeed at their jobs," Kark says.
Not so fast, says Tim Maletic, manager of information security and information services security officer at Priority Health, a Michigan-based health insurance company. He agrees that people skills are essential--a security professional has to be a jack-of-all-trades and deal with many different groups in an organization--but says technical ability is critical too.
"You can't get so far behind the times with what's going on with current technology that you're getting blindsided or are missing opportunities as new projects are coming through and not seeing how they relate to risk for your organization," he says.
Maletic says he finds himself pulled between the two worlds of business and technology. Building a strong team has helped manage that; he can tap his engineer's expertise with the latest technology.
He and other security officers also are finding ways to deal with the pressure of ever-present auditors. People skills come in handy on that front.
"You want to make auditors your friends. You need to work cooperatively with them," Maletic says. "My internal auditors are very much partners with me. We share information, keep each other in the loop."
IESO's Lewis says auditors shouldn't be treated as the enemy, a misconception common among some in IT: "Audi- tors are there to help you improve your business, not to flame broil you."
However, external auditors can present a different challenge, Maletic notes. In those cases, it's not so much about collaboration as about defining business requirements.
"And making sure that [with] each objective or control being tested, you can reach an agreement with your auditor about the value and not just roll over and let them do it a hundred percent their way," he says.
Regulatory compliance has been frustrating and time-consuming for CISOs, but a framework such as ISO 27001 can help address multiple regulations instead of dealing with them piecemeal, according to a Forrester survey.
| Layman's Terms
Executives have their own language with an alphabet soup of acronyms. Here are some phrases and what they mean.
A stringent measure of liquidity.
The measurement of sales as a percentage of assets. This shows how well management is using the company's assets to generate sales.
An expense that is placed on the balance sheet as an asset with its cost to be allocated in future accounting periods.
Cash flow statement
This shows the sources or uses of cash that flowed through the company during a particular period.
Stock for which its holders have voting rights and do not receive dividends at a fixed rate.
A way of measuring the benefits expected from a decision, measuring the costs expected to be incurred in the decision, and then seeing if the benefits exceed the costs. If they do, then the analysis is in favor of going ahead with the planned course of action.
Cost plus pricing
Determining the price of a product based on the company's costs, plus the company's desired profit for the product.
Compares the company's long-term debt to the amount of owner's equity. The debt ratio compares the amount of financing that comes from creditors relative to the amount invested by shareholders.
Money that has already been spent that will yield benefits in upcoming years. Money allocated to research and development is an example.
| Layman's Terms (continued)
Earnings before interest, expense and taxes. This is equivalent to operating income.
Tangible property used in the operation of a business.
Costs that remain the same regardless of the amount of product a company makes and sells.
Shows the financial results of a company's operations for a given period, usually a year or quarter. It begins with sales during the period and subtracts all expenses incurred during the period to show how much money the business earned after expenses.
A product on which a manufacturer or, more commonly, a retailer does not make a profit, but carries the product to attract customers.
The amount earned by a company on sales after deducting the direct expenses of making the product and the expenses of selling it, and all other aspects of running the business itself.
Program Evaluation and Review Technique (PERT)
A project-management system that allows you to make an optimistic, pessimistic and "best guess" estimate of the time it will take to complete a project.
Any income not distributed as dividends is classified as retained earnings and reinvested into the company.
Measures the company's ability to pay its current obligations. Working capital equals current assets minus current liabilities.
With all the evolving regulatory requirements, it also helps if security officers have some legal know-how, says Michael Rasmussen, a vice president at Forrester. They can't necessarily rely on corporate counsel to keep up with the IT impacts of various regulations.
"The CISO definitely needs legal skills today as compliance has been one of the No. 1 drivers of security in the last couple years," he says.
Burton's Fredriksen says industry organizations such as BITS, a consortium of financial-services C-level executives, can help security professionals keep up with emerging legislation and regulatory issues. Proactive security officers get involved and participate in the public processes related to proposed legislation and are ready to offer their organizations thoughtful advice on new issues, he adds.
Others agree that it's important for security officers to be active not just inside their organization but outside as well: "Whether you're affecting legislation that could impact your corporation or whether it's just being an advocate for education in information security in the academic world," says Northrop Grumman's McKnight.
Maintaining strong peer relationships also can help a CISO succeed, he says. For example, he can call peers at other companies to learn how they handled a particular issue.
More and more, the CISO is transitioning from a security-focused role to a holistic risk management role, McKnight says. "There are trade-offs, certain levels of risk you're willing to take," he says. "Defining that risk for the company and the business owners is essential."
Forrester's Kark predicts that the CISO job of the future will be more about information assurance rather than information protection.
There are many certifications and academic programs to help security professionals boost their careers.
Certified Information Security Manager (CISM)
Issued by the Information Systems Audit and Control Association (ISACA). Designed for experienced information security managers, and those with infosecurity management responsibilities.
Certified Information Systems Security Professional (CISSP)
Offered by the International Information Systems Security Certification Consortium (ISC)2. Training available from (ISC)2 affiliates worldwide.
Certified Protection Professional (CPP)
From ASIS International, CPP designates individuals who have demonstrated competency in all areas constituting security management.
Global Information Assurance Certification (GIAC)
Certifications cover a range of areas, including security leadership and security auditing. A SANS Institute program.
Professional Certified Investigator (PCI)
The PCI designation from ASIS International is awarded to those who have demonstrated skills in case management, evidence collection and case presentation.
All are NSA Centers of Academic Excellence
Carnegie Mellon University, Information Networking Institute
Master of Science in information security technology and management. Blend of education in technology, business management and policy.
Georgia Institute of Technology, College of Computing
Master of Science in information security. Studies include risk perception and the impact of laws and public policy.
James Madison University
Master of Science in computer science and two NSA-approved certificates for infosecurity professionals and officers. Online program geared for working professionals.
Johns Hopkins University Information Security Institute
Master of Science in security infomatics. In addition to technical and policy courses, core management courses include financial issues in running a secure operation.
Kennesaw State University
Bachelor of Science in information security and assurance. Curriculum includes courses in project management, infosecurity policy, and accounting.
Master of Science in information assurance. Online program designed to help working professionals become management leaders.
Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS)
Interdisciplinary master's program in information security. Courses in ethics and business management in addition to computer sciences.
Rochester Institute of Technology
Master's degree in computer security and information assurance. Courses include ethics in technology and advanced computer forensics.
Stevens Institute of Technology
Bachelor of Science in cybersecurity with curriculum that incorporates aspects of engineering and technology management. Master of Science in security and privacy with electives in legal issues and analyzing technology risks.
*This is a representative list.
Keeping a security team from being pulled apart by auditor demands is a tough balancing act. by David Mortman
I've really been feeling the pressure lately. I have an ambitious plan to execute our company security strategy, and on top of that I've got hordes of auditors simultaneously pushing my staff in many directions. If I respond in knee-jerk fashion to all those auditors, my resources will be diverted from the security strategy.
Internal and external auditors, plus staff from the SOX program management, compliance, enterprise continuity and risk management offices all look to my team for support for their respective control efforts. Access controls are a common denominator, and my security folks are instrumental in designing, analyzing, changing and reporting on those controls. But I need to run interference to keep my staff from being pulled in too many directions. They're being torn apart; I need to keep them whole.
At the same time, I need to help all my colleagues who are responsible for the other control functions. The auditors are well-intentioned. They basically have the same goal I have: well-controlled infor-mation systems. The problem tends to be relative to time frames. We can't get it all done at once; we must prioritize. If I wasn't confident that my staff understands the threats and risks, then I'd abdicate and let someone else set the priorities for what we work on. However, I am confident, so I stand my ground.
At first, the flow of control-related activities started as a manageable trickle--internal audits, external audits, GLBA, state market exams, and Securities and Exchange Commission 38a-1 investment firm reporting. Then somewhere along the way, it dawned on some of us that the questions we were being asked were growing eerily similar to the last set of questions we just answered. Around the same time, the specter of SOX began to haunt us. For a while, I naively thought SOX was a positive thing that would help me move the security agenda forward; it was about protecting financial integrity, and that aligned with my mission. Then I woke up and realized the SOX people weren't working on my agenda, but rather I was working on theirs, and they had different time frames in mind. In fact, my entire staff seemed to be getting dragged into everyone else's control-related efforts and the security agenda was beginning to take a back seat.
Right now, I'm desperately trying to find places where the disparate control efforts overlap. If we can avoid doing the same things repeatedly, we should be able to save time and effort.
In addition to looking for overlap among control-related activities, we're assessing related risks and using risk levels to help prioritize our work. Because we can't cure every ill at once, we want to address the biggest risks first and address the rest over time. Our plan is to help our colleagues in their control-related projects as much as we can without totally sacrificing our own agenda and abandoning pursuit of our security strategy. By taking care of the big hitters we should be able to reduce our risk sufficiently and turn down the heat enough to make everyone comfortable.
Most importantly, we need to corral all the work related to controls coming from many areas. We need to organize and prioritize it, then get it done in a reasonable time frame. No longer can we allow all that control work to get so out of control at the expense of our security goals.
Bruce H. Bonsall, CISSP, is CISO at MassMutual Financial Group. Send comments on this column to firstname.lastname@example.org.