CISOs Today Must Build a Risk-Aware Culture Where Security Awareness Permeates Every Level of the Organization...
Security leaders have evolved in the last couple of years, from technical security gurus in the back office to chief information security officers (CISOs) with a seat in the boardroom. Their profile, importance and influence has risen along with the increase in high-profile breaches and targeted attacks in the media. Their business and legal acumen have flourished as they have morphed from pure technical leaders to governance, risk and compliance managers.
According to a 2012 IBM report entitled “Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment”, this new breed of information security officers fall into three buckets – Influencers, Protectors and Responders.
Influencers are information security leaders who see their security organizations as mature and progressive, have business influence and a strategic voice. A "protector," meanwhile, understands that security should be a priority within an enterprise, but doesn't have "the measurement insight and the necessary budget authority to fully transform their enterprises' security approach," according to the IBM report. A "responder" is focused on the tactical response mode, and does not have the influence or resources to drive significant change. Of the 168 organizations surveyed, one-fourth (25%) serve as an influencer, about half (50%) operate as more of a protector, and the rest serve mostly as a responder to security incidents.
So back to the topic on hand… It is clear security leaders have grown significantly, but need to progress more rapidly to influencer status. How can CISOs or their peers get a seat at the table whenever new IT projects are created? More importantly, how can CISOs get to the table early and often so that the security requirements are considered up front and not bolted on later? A lack of engagement by development teams with security tends to be historical – it stems from a lack of understanding of security and compliance implications, the perspective that security teams tend to say no to projects because of the risks involved, and that security causes significant delays in projects. It has led to the common tension between networking/application teams and security teams. But today, with the new threat landscape and the extended enterprise of partners, suppliers and customers that have access to the network, security will be ignored to the detriment of organizations.
To get security a seat at the table, it is critical to consider organizational shifts in developing security strategies. It is crucial to get to a culture of “yes”, where security enables, and does not hinder the organization. As CISOs, your partner in your endeavor must be security solutions that support your initiatives, enforces business policies and can enable them at a granular application, user or content level. These are three key security strategies and corresponding security requirements to getting a seat at the table:
Align Security with Business Objectives
The most important objective with any security strategy is to ensure that it maps clearly back to the organization’s strategic business objectives. Security transformation must align with the pragmatic day-to-day discipline of the organization, in other words, security policies that enable new business initiatives and support existing ones.
Let’s take the example of an organization that wants to enable mobility and BYOD (the dreaded new four letter buzzword in IT!). The CEO wants to drive productivity via anytime anywhere access via a variety of different devices. This includes personal devices brought in by younger or bleeding edge employees that want to employ the latest technology that not only helps them do their jobs better but also defines their personalities. The CISO’s job is to implement security without hindering the benefits of mobility.
Security, if designed correctly, enables all of this. How else but with the latest next-generation security solutions can you enforce access to financial servers only for accounting employees using managed endpoints that have the latest operating system patches and are free from viruses,? Next-generation security solutions do this without creating massive operating complexity. A secure mobility strategy ties back to other security initiatives – it helps build the business case for segmentation within the data center to isolate vulnerable and high-risk applications from other parts of the data center. It also builds the business case for secure virtualization to ensure the applications in the data center are served quickly, reliably, and securely to these endpoints. Developing an end-to-end client and data center strategy to address mobile security now moves the focus towards a global security strategy.
Translate Security Into Terms that Other Business Executives Will Understand
It’s always been the case that the security teams speak a different language from other teams (networking and application development). One of the most strategic skills a security chief can bring is the proficiency in translating security speak into the language of business risks and financial ROI terms. While security geeks in a room may be excited by information on the frequency or type of attacks to the organization, these numbers are not appealing to board members. At the board level, the ability to show dollar return on security initiatives is critical to ensure continued executive support on security investments. Non-security speak includes translating security processes into what business leaders understand – applications, users, content and business risks.
One example is with secure application enablement initiatives. A number of applications such as social networking applications were once the domain of personal applications but are now being utilized by businesses to reach their customers, partners and suppliers. With next-generation security solutions, you can enable specific types of applications (and functions within them) for certain users. Allowing Facebook and Twitter for marketing groups in an organization, but blocking games and social plugins as well as malware and exploits strikes an appropriate balance between security and business enablement, but can also translate to customer enablement success or improved customer satisfaction numbers at the board level. The policies being developed are also easily described at the executive board level instead of some complicated security term.
These same secure application enablement policies can be extended to limit the bandwidth utilized by non-business applications, and ensure quality-of-service for critical business applications like voice-over-IP. Recent reports show how bandwidth-hogging applications have increased in the enterprise and are taking bandwidth away from other important areas. Rate-limiting bandwidth usage for non-business applications can again be translated to bandwidth budget savings that is well understood by business executives.
Security Must Be Agile and Proactive
Security needs to evolve and adapt in tandem with the business. It is impossible to justify a major security investment without also having the flexibility to manage this investment in the face of changing business dynamics. For example, today, an organization may be concerned about insider related threats, but in six months as they open up their organization to business partner access, their security solution must be flexible to incorporate changes in the networking architecture, and adaptable enough to address new external security threats without requiring a complete architecture overhaul.
A proactive approach to security is also important. A reactive approach may seem to be less time-consuming in the beginning, but reactively chasing down the latest threats or the latest infection eventually leads to a never-ending cycle of fires to put out. Planning ahead provides a clear, actionable, repeatable and reportable strategy for dealing with security threats today and in the future. Planning ahead can anticipate changing business needs and upcoming projects that require security, and alleviate political cross-functional conflicts.
Key Security Solution Requirements
The new breed of successful CISOs is proactive and passionate in architecting security solutions that have the following characteristics:
• Security solutions that enable business policies – this means security solutions that don’t just allow or deny but solutions that provide granular control at the application, user and content level to support rich and sophisticated business policies while keeping out threats.
• Security solutions that are flexible and agile – when your security posture changes in the next six months, or your network architecture changes, the expectation is that the security must adapt, either by supporting the evolving network requirements or adding new security features to tackle new threats. The days of throwing another security appliance to tackle a new problem is not only an expensive proposition, siloed appliances are unable to tackle the new threat landscape that utilizes multiple, coordinated threat vectors.
• Security solutions that can be managed easily – at the end of the day, no matter how great your solution is, if you cannot decipher the intricate complexities of the platform, or writing a policy requires a PhD, then the solution is useless. Security solutions with good management includes useful dashboards and reports (in non-security speak you can leverage) so you don’t spend valuable time painfully extracting and correlating security data manually, time taken away from strategic focus.
In summary, the most effective CISOs today can’t just be experts in security. They must possess the business know-how to build a risk-aware culture where security awareness permeates every level of the organization, and be experts in how security should be architected to more effectively support the business. You may comment below and can follow me on Twitter @danelleau and share your strategies for getting a seat at the table.