Despite an ongoing series of high-profile enterprise data breaches, the 2012 Carnegie Mellon CyLab Governance survey (.pdf) found CEOs and senior executives are not close to being fully invested in the need for security.
Particularly troublesome was the finding that nearly 60% of those surveyed did not get regular reports about security risks or participate in security governance. Most notable is that this finding was not a technology-centric statement, but a focus on a lack of executive involvement.
In the report, CyLab authors directly noted the lack of senior executives’ involvement with security governance: “One of the most important advance findings of the CyLab 2012 Governance survey is that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets. Even though there are some improvements in key “regular” board governance practices, less than one-third of the respondents are undertaking basic responsibilities for cybergovernance. The 2012 gains against the 2010 and 2008 findings are not significant, and appear to be attributable to slight shifts between ‘occasionally,’ ‘rarely,’ and ‘never.’”
At a minimum, I suggest reading the report to learn more about what CyLab discovered during this review. I’d also suggest passing it along to your CEO and senior executives with recommendations it go to the board of directors.
In this tip, I’ll discuss how CISO responsibilities entail getting other senior executives more involved in security governance, including some useful ideas for beginning the process and whether fear, uncertainty and doubt(FUD) should play a role.
Steps toward executive involvement
As a former CISO, I was not surprised by the CyLab report’s revelation concerning the lack of executive- and board-level oversight or involvement in security governance of the enterprise. For many years, a repeated topic at CISO forums and security conferences has been how to get CEOs and senior management aware of and involved with information security challenges, threats and issues affecting the company. There is generally consensus that a lack of senior executive involvement was a consistent theme across many organizations, and CEOs -- and even the boards of directors -- should be actively involved in the security conversation. However, there was no real agreement on how to achieve this objective.
So, what can a CISO do to get the senior management and board involved? There is no single answer to this challenge, but here are some ideas:
- A CISO needs to thoroughly understand the company’s business to gain credibility with senior management, which means studying and understanding what the company does, what services and products are offered, and what is needed to satisfy the marketplace. Reading the company’s annual report, 10K’s, 10Qs, and other regulatory filings, will be an appropriate part of this homework. By fully understanding the company’s business strategy, a CISO can have broader conversations with the board and executive team while also understanding some of the reasons why security is not always at the top of their respective ledgers.
- Spend some time outside of the IT security bubble. Try to meet with the organization’s CEO, CFO, treasurer, operations and production managers, to name a few. Take some time to not only explain who you are and the role of the CISO, but also ask for feedback on their views of information security for the company and how you can help the organization gain a greater understanding of it. The primary intent of these meetings is to begin a conversation regarding security with the company’s leaders. Effective ways to continue the conversation include offering security briefings and education sessions to the executive leadership team and other groups within the company. Emphasize that security plays an important part of the company achieving success.
- Take every opportunity available to sell the idea of effective security to executives and even the board of directors. Why it is important, and why is continued support with resources, personnel, and money is necessary? For example, when the 2012 Verizon Data Breach Investigations Report (DBIR) is published, consider an executive briefing on the findings. This strategy could also work with any of the other reports issued by various security companies or agencies.
- CISOs should also be knowledgeable of the recently issued U.S. Securities and Exchange Commission (SEC) guidelines requiring publically traded companies to disclose the risk of cyberattacks, breaches and other incidents if they materially affect an enterprise’s products, services, relationships with suppliers or customers, competitive conditions, or if the incidents make investment in the company speculative or risky. Briefing the officers and directors on this SEC guideline may be an appropriate role for the CISO and security team.
- Brief the general counsel, as well as some or all of the company’s board members and executive team, on data breach reporting requirements for the states and countries in which the enterprise’s customer data is derived or stored. For instance, if the enterprise has customers in California, it is obligated to fulfill the state’s data breach laws and regulations should the company have a breach. In California, if the lost data contains information such as first name plus last name plus Social Security number or credit card number, then the company is obligated to notify the affected customers of the data breach. Approximately 47 states already have similar data breach laws on the books, so it’s important to understand the implications of a data breach affecting customers in multiple states. The CISO’s knowledge and expertise on such laws and regulations can help prepare the general counsel and leadership team if an enterprise faces a data breach incident.
Stats and fear
In terms of gathering and reporting security metrics, it may be best to first discuss this topic with the executive team and determine what metrics make the most sense. Areas of possible focus are costs associated with security breaches, security system implementation and management. For instance, the Ponemon Institute estimates each lost record costs enterprises as much as $214 –- an eye-opening statistic to take into account when considering the scenario of losing a corporate database with millions of customer records. This cost-per-record number doesn’t factor in other costs that could be substantial, including lost business and a possible impact on reputation, both of which could have a significant effect on the company’s future success.
Finally, as CISO, in most cases resorting to FUD does not necessarily help your cause. Rather than engage in scare tactics, focus on ways you contribute to the success of the business by protecting its data and intellectual property as a risk manager and security expert.
For the CISO to affect corporate direction on information security, it is important to have a solid understanding of the company and its business. By educating and demonstrating an understanding of corporate risk issues to the executive team and the board, a CISO can raise his or her value within the corporation while making significant strides toward improving the security of the organization.
About the Author:
Ernest N. Hayden (Ernie), CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for more than 10 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of “Managing Principal – Energy Security” at Verizon’s Global Energy & Utilities practice, devoting much of his time to energy, utility and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), and Seattle City Light. Hayden’s independent analysis may not always reflect positions held by Verizon. Read more of Hayden’s expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.