June 24, 2013

Clueless Board or Inarticulate CISO

There was an article published by Forbes “Boards are still clueless about cybersecurity” on 16-May-2012 based on the report, The Governance of Enterprise Security: CyLab 2012 Report, published by Carnegie Mellon CyLab and RSA. This report was based on the responses from 108 respondents at the board or senior executive level from Forbes Global 2000 companies. Half of the respondents were board members, and the other half were non-director senior executives.

Not Listening

Seventy-five percent (75%) of the 2012 survey respondents were from critical infrastructure industry sectors, primarily the financial, energy/utilities, IT/telecom, and industrials sectors.  The survey probed whether senior executives and board members were undertaking basic cyber governance activities, such as reviewing privacy and security budgets and top-level policies, establishing key roles and responsibilities for privacy and security, and reviewing security program assessments.  It also asked whether the board was receiving information critical to the management of cyber risks, such as regular reports on breaches and the loss of data. Key findings highlighted in that report were:

  • Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices
  • The industrial sector did only slightly better than energy/utilities sector
  • The survey findings highlighted that the financial sector has the best security practices, even its respondents indicated major gaps in security governance
  • The financial sector respondents also had one of the highest percentages of CISOs (76%) and CSOs (63%) who are assigned responsibility for both privacy and security, creating segregation of duties issues
  • According to this report, CISOs are a competent group of professionals, but they cannot get attention at the top and adequate funding to close gaps that they know exist.
  • This report also mentioned that too many CISOs are stuck reporting to CIOs who squeeze their budgets, interfere in procurements, and meddle in security configuration settings

These are some disturbing findings and statistics. However, I believe that situation has changed in recent years due to security incidents like RSA, Bit9 and Sony etc. Boards and C-Execs are aware of cybersecurity issues and risks.

In my view, “boards are NOT clueless” BUT  “boards are badly informed”. Let me explain rationale behind my point of view.

During early parts of my career, I was frustrated number of times when my department didn’t get business case approvals for security initiative. Every time it happened, I found myself wondering “Why doesn’t the board get it?” In recent years, situation has changed; security incidents like RSA, Bit9, and Sony etc. have brought increased attention to Information Security and also created an interesting OPPORTUNITY.

Tough ClimatesFor a moment, imagine yourself as a member of the board of a typical global organisation in the current climate. How would you feel about running a business, meeting expectations of shareholders, increasing revenue and profitability etc.? The current climate is about tough business conditions and it is putting more and more pressure on businesses. Boards and C-Execs are pressured to:

  • DELIVER on shareholder’s expectations
  • STRENGTHEN the balance sheet, i.e. increase revenue and find operational efficiencies
  • INCREASE profitability of the business

What a CISO needs to demonstrate to the business is, “how can the security function help in delivering on these business objectives directly or indirectly?”

Staircase IllusionI have often heard the statement that security needs to be a business enabler. Do business executives believe in it? Do they see security function like the way we want them to see? As security professionals, we are very passionate about the Information Security and Risk domain at least – I have always been so, and know, will always be. But board members and senior executives do not necessarily share my passion. They have number of things occupying their mind and cybersecurity happens to be just one of those.

We may think that we are doing a great job in fixing AV defects, Laptop Encryption defects, doing third-party security reviews, enforcing clear desk policy, running vulnerability scans, making sure application security testing is done prior to go live and the list goes on. But what does our passion, our activities and our firefights means to business executives? What’s the value that they see, we bring to them?

Do they see this value, the way we want them to see? Reality is that they don’t.

NetflixIn our day to day life, whether we are buying a service or a product, we expect to get desired value for the money spent. If I am paying money to Netflix monthly for an on-demand video service, I expect to be able to see movies on my multiple devices anytime of the day. If not, why should I continue to pay?

Same goes for the board. They need to believe in the return when signing off on the security budget. In most organisations, security line item within the annual budget has been increasing year on year. What business execs struggle to understand is that what are they getting IN RETURN for that money? I don’t think that continued security incidents and reports like CyLab report can change it for us.

Castaway SOSWho is to blame if the board doesn’t get it? What I have realised personally is that we need to take ACCOUNTABILITY of this failure. We need to accept that we have not done enough and we can do better. If we keep thinking that it’s someone else’s problem. Nothing is going TO CHANGE. If you remember the movie Castaway, Tom Hanks wasn’t rescued by anyone from that lonely island. He had to build himself a raft and sail out to increase his chances of being rescued. CISOs need to be in control of their destiny. Nobody else will do it for us. We have to do it ourselves.

Security is about what you make possible. We will succeed in our objectives when business will have greater level of TRUST in security and they will truly believe that we are helping them in delivering on their strategic business goals and objectives.

Building TrustWe need to gain Trust and build Credibility with the board and senior executives. This can not happen overnight. CISOs can earn trust and build credibility by:

  • selling business benefits of the security function
  • marketing business benefits of the security function
  • communicating business benefits of the security function
  • consistent and persistent delivery on business objectives
  • winning the trust of key influencers at the C table one by one
  • building allies and ensuring senior executives knows them for the right reasons

It’s not just about the delivery, it’s a lot about perception management as well.

I delivered talk on this topic as the closing keynote on the first day at Forrester Security & Risk EMEA Forum 2013 in London earlier this month. You can refer to slides for my talk on slideshare.

Leave a Comment

Your email is never shared.
Required fields are marked *