SAN FRANCISCO -- The enterprise information security community is enjoying the greatest opportunity in its relatively short history to effect positive change, but capitalizing on that opportunity will require learning business savvy and thinking long term.
In a wide-ranging discussion Thursday at RSA Conference 2015, a panel of veteran infosec pros lauded the way in which business leaders have recently embraced the importance of information security, illustrating a positive outcome following a string of devastating, high-profile data breaches.
"We have, for once, the attention of the people we've been screaming at and have been ignoring us for years," said Jack Daniel, a security strategist with Tenable Network Security. "We have this small window to prove we're up to the task, or they're going to move forward and leave us behind again. That worries me. That's opportunity and fear rolled into one."
Trey Ford, global security strategist with Rapid7, acknowledged the newfound attention and responsibility may be more than some new security managers are ready for.
Ford shared a story about how he recently spoke before an audience of about 1,400 security managers. He was surprised to learn that not only were about 1,000 of them first-time chief information security officers, but the same number were also the first CISOs that their organizations have ever had.
"We've found ourselves in the C-suite," Ford said. "Now, where's the playbook? We're now going through what CIOs went through, working to learn the language of business."
Katie Moussouris, chief policy officer for vulnerability-sharing framework provider HackerOne, echoed those sentiments, saying that security professionals now have the chance to influence the future of their enterprises in a positive, lasting way, but it means evolving as a profession from technical experts into business leaders.
"A lot of us who once flew hacker flags are now in charge of large security organizations," said Moussouris. "We've graduated and matriculated into the ruling class of security."
Part of the maturation process is the realization by security pros that infosec will never be the number one priority for organizations. Instead of trying to convince business of security's top priority, Moussouris recommended learning to serve as a trusted source of support for business leaders, while reminding them business isn't just about making money.
The result of that effort, Moussouris added, will be a new type of security leader who is inherently business-savvy, a skillset she hopes will become widely possessed among security leaders.
"It's a mating dance and we're about to produce our first hybrids," Moussouris said, "and hopefully they will also [be] reproductively viable, as opposed to being mules."
However, there may be a sizable number of security pros that either don't realize this transition is underway or don't acknowledge its significance. Daniel said he believes there are plenty of hackers, whom he described as "the people who go to DefCon," who are reluctant to come to RSA and engage with people who are working to advance the craft of business and infosec.
"Those of us on this panel, we're all people with one foot in each camp, and the more we can bridge that gap, the better off we'll be," Daniel said. "There are a lot of ostriches out there, and more of us need to realize that we can't afford to alienate anyone."
Panel moderator David Mortman, chief security officer with Dell, said another key going forward will be security managers' ability to position security as a long-term enabler for business.
Moussouris shared the story of how, when she worked at Microsoft, she convinced the software giant's business leaders to begin offering bug bounties to security researchers who find and report software flaws to the company.
Moussouris equated the task to turning around an aircraft carrier because Microsoft executives had publicly vowed never to pay hackers for vulnerabilities. However, she succeeded by keying in on what she called "organizational empathy," convincing business leaders that a bug bounty could help Microsoft better protect its business.
"The problem was they were getting IE bugs reported after the beta period had already closed," Moussouris said. "I told them, 'Guess what? We can create a bug bounty and offer it at the beginning of the beta period and get those bugs reported sooner.'"
She said her success hinged on being able to understand and articulate the business value of a bug bounty program, and then aligning the security goal with the business goal the organization sought to accomplish.