Information Security

Defending the digital infrastructure


News Stay informed about the latest enterprise technology news and product updates.

Cybersecurity and global risk assessment enter the boardroom

Analysts expect security concerns to drive global risk management, but executives may need convincing.

"We need to advance the security agenda to the boardroom," said MacDonnell Ulsch, CEO and chief analyst of ZeroPoint Risk Research. That means turning to managing risk, according to Ulsch. "I know there are those who disagree with this, and who believe that technical security is the answer. To me, it is only part of the solution of managing risk.

"It is interesting, too, that so many in the industry are focusing on data protection of regulated data, but that intellectual property [IP] and trade secrets seem less critical, even though these secrets may be the lifeblood of the company," added Ulsch. "If I lose PII and PHI, it's a bad day, and there are consequences. If I lose IP, it may be the end of the company. So managing risk is what security professionals are doing. They know it, now we need the rest of the organization to know it."

Ulsch, who joined the Information Security magazine editorial advisory board last month, is among the experts who shared tips and strategies in my article on global risk assessment and security. Analysts at Gartner, and elsewhere, advise senior security management that by 2020, companies can expect cybersecurity spending outside of compliance to drive global risk assessments and strategy assumptions at Global 2000 companies.

"The answer to [the spending question] is not immediately obvious," said Ernie Hayden, CISSP, global managing principal, RISK, Verizon Enterprise Solutions.

"Right now the drivers are still based on compliance to certain security standards," he said. "Additionally, the threat intelligence and how it can be useful to a company is not immediately obvious to the executives, who approve security expenditures. And, with the new threat intelligence, it is quite common that the CISO may need to ask for more technology or staff to help react to the intel more effectively."

As Hayden pointed out, the amount of information and data that CISOs need to plow through -- and protect -- is bursting beyond the "four walls" as mobile devices and high-memory portable media proliferate. And it shows no sign of tampering off. The format of the threat intel -- which is likely coming in bursts instead of a continuous stream -- may open the door for arguments about its real value to the company.

All of this "makes the CISO's job that much more difficult and expensive to execute," said Hayden. "The CISO, executive leadership team and board of directors need to realize that they should assume that the organization will be breached in the future. This is the sad truth that many leaders have difficulty accepting," he acknowledged. "The bad guys only need one way into your network to steal and vandalize. However, the CISO and their team need to cover every single entry point into the network, applications and databases," he said. "Again, this is a tough task."

We also tackle the ongoing issues that CISOs and their teams face as the security skills shortage shows few, if any, signs of improvement. Author Rob Lemos writes about the innovative ways that security firms and other companies are trying to keep their pipelines flowing; especially as universities and colleges continue to fall short, and entry-level security specialists offer little more than "frequent flyer" skills.

On a positive note, help is on the way as vendors continue to improve their next-generation firewalls, fine-tuning application awareness and other user controls. Longtime tech journalist and technology expert, David Strom, interviewed  IT security managers and CISOs to find out how their migrations were going and what advice they could pass on to other organizations that are thinking about replacement strategies. Enjoy the issue, and let us know what you think.

Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath. Send comments on this column to

Article 5 of 7
This was last published in September 2013

Dig Deeper on Data security breaches

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

From what I’ve seen, it’s not so much that they need convincing, it’s more that they need to be educated about cybersecurity and the organization’s security concerns. Once they understand, executives are generally enthusiastic in their support of security and risk management.

Get More Information Security

Access to all of our back issues View All