The annual CXO report from (ISC)2 painted an interesting picture around the current plight of chief information security officers (CISOs). Specifically,
While the information security industry is maturing at a rapid rate, we are still not at a point where businesses fully appreciate the potential impact of deploying insecure systems.
The findings in the CXO report are probably unsurprising for most security executives, who deal with these problems on a daily basis. While the information security industry is maturing at a rapid rate, we are still not at a point where businesses fully appreciate the potential impact of deploying insecure systems, leaving many CISOs in a difficult political situation when the business wants to deploy a new, vulnerability-ridden technology. As a result, CISOs often find themselves making uncomfortable compromises around acceptable amounts of security risk to satisfy business requirements, with some security execs possibly being left discouraged as that line continues to be pushed.
To effectively communicate information security risk to the business and raise infosec awareness among non-security executives, CISOs need to utilize new approaches. Let's discuss three possible approaches.
Use FUD sparingly
When faced with the challenge of explaining how security risk is relevant to a business, many security pros still turn to fear, uncertainty and doubt (FUD) in order to press a point home. This tactic can be effective, but only if used infrequently and precisely. It is critical not to try to scare executives by continually presenting the latest unrelated breach or vulnerability to them.
Instead of relying on FUD, try to present accurate data around relevant security risks, which is more likely to get a positive response from other executives. For example, collecting details about data breaches that have been experienced by other companies within the same industry can be helpful. Demonstrating how an attack was performed on the company website can also be a powerful tool. The trick is to generate the urgency of FUD without evoking the emotional response of fear, and to be effective, that ultimately requires learning about the audience (e.g., other execs) and tune the delivery as required.
Become part of the overall business
With an ever-evolving threat landscape to monitor, CISOs tend to spend much of their time focused on the latest infosec risk, making it difficult to build relationships with other executives. This is especially true when a CISO is unable to pivot conversation away from the nuts and bolts of everyday risk mitigation. To truly be effective in the position, CISOs need to learn the vocabulary of business and build those key relationships with the C-suite.
From the editors: More on information security awareness
Still facing hurdles when trying to raise infosec awareness among C-suite executives and other end users? Veteran CISO Ernie Hayden suggests looking to tried and true marketing principles to give a security awareness program a boost.
The best security executives know as much about the revenue drivers for the business as they do about the latest data breach statistics. A CISO who digs into business operations may even discover ways that better information security practices can reduce expenses through process optimization: For example, implementing single-sign-on authentication reduces the number of passwords an employee must remember, and that not only increases efficiency, but also allows stronger password policies to be implemented. A newly minted CISO will need to learn how to recognize those types of opportunities, but executives with many priorities outside of infosec will find this approach refreshing.
Give business leaders a voice in security
Finally, one of the most effective methods for driving infosec awareness among non-security executives is to let them play a part in security-related decisions. One way to accomplish this is by forming an information security governance committee. At first, it can be difficult to get time with busy executives for security matters, but if they know they'll actually get to make key decisions, participation and commitment will usually follow.
The CISO's role in such a committee is to present current risks to the company's information assets with proposals for mitigation strategies, which can include new organizational policies or technologies. As I mentioned earlier, executives tend to respond favorably to hard data, so give them factual information about the status of the enterprise threat that they can use as the basis for making sound security decisions. When provided with the right info, executives will -- perhaps surprising to some -- often take an even firmer stance than was originally recommended. New security policies are also given that extra weight of higher authority when they're partially developed by executives on the committee, not just the security team. Of course, there may be times when execs don't back a CISO's proposed policies, but the CISO even having the opportunity to present security issues to them can be a positive down the road.
Security executives need to find new ways to make security a bigger part of overall business processes, and hopefully gain a bit more spending power for security tools and staff in the process. I've outlined the three that I've found to be the most effective -- toning down the FUD, learning the language of business and getting non-security executives more involved in security processes -- but new CISOs are going to find novel ways to win that influence in the C-suite and make security a bigger priority. Executive infosec awareness will undoubtedly continue to grow through the use of these techniques, and in the near future, CISOs may even find that security is perceived as a business driver instead of a roadblock.
This was first published in February 2014