A key focus at the 2015 RSA Conference was the elevation of cyber security from the IT department to the board room. By and large, we’re seeing leadership across enterprises around the globe take notice, as highly-visible attacks on the US government, Anthem, and others have raised questions like, “can this happen to us?” The advent and proliferation of the Chief Information Security Officer (CISO) spotlights the anxiety in the board room but also shows the cyber risk message has been received. For the IT Professional; however, access to the board room is just the beginning of a new journey.
IT practitioners must learn to think, and communicate, like a board member. One opportunity for security leaders and CISOs to showcase their executive skills comes in the form of defending their budgets.
To do so, it’s imperative for the CISO to first understand where the company’s dollars are being spent and identify potential areas of cost savings. At RSA, CISOs were polled about bloat in the IT security infrastructure, and more than 80% of the respondents stated that they had redundant software or hardware. Estimates of wasted money paying for maintenance and support varied but reached up to 28% of the overall budget. This is particularly true in cases where mergers have occurred. As such, the first step in preparing to defend budgets is taking an inventory of the firm’s security platforms. From there, a CISO can easily create a plan to rationalize the company’s infrastructure and the services for which they pay.
Next, CISOs should look for opportunities to cut costs and operationalize security. This means using the savings accrued by eliminating unnecessary redundancy to install, on premise or cloud platforms that pull together data and threat intelligence. These platforms enable security analysts to make fast and accurate decisions, and when integrated into workflow management or ticketing systems, limit the amount of unnecessary work a security professional is required to do. To be clear, this is not about cutting headcount. It’s about empowering the team in place with the support they need.
Finally, and perhaps most crucial, CISOs must begin to effectively prioritize various risks, weighing the potentially affected audience with the cost of remediation. In some cases, the platform installed to operationalize security can be helpful in prioritizing threats; it can avoid generating alert fatigue by implementing a system that helps analysts prioritize and deal with the increasing array of attacks. The prioritization and operationalization of individual risk is what will resonate with the board of directors. Translating “security concerns” into “business risks” and then proceeding according to the largest threat is the way any board would want to proceed.
As such, it is also how most boards would proceed when discussing and approving a budget. Today’s CISO, with his or her seat in the board room, can’t respond to the growing demand for cyber preparedness with constant requests for more headcount and more investment. Instead, he or she must maximize staff productivity and then find cost-effective ways to bolster the team’s performance. Managed services should play a key role in augmenting staff performance. At minimum, these services strengthen perimeter defenses and limit the amount of potential malware getting through, and therefore, allow an internal team to be more focused on solving fewer challenges. Managed services that incorporate real-time threat intelligence, ensure security professionals have a better idea on what to be most focused.
If you’re a CISO, you no doubt have the security skills required to meet the demands of the role. Now, it’s time to showcase your executive skills by taking an inventory of systems, identifying opportunities for operationalization and improvement and being well positioned to defend the budget your team needs to protect the company.
Related Reading: CISOs Challenged in C-Suite
Related Reading: Why CISOs Need a Security Manifesto
Related Reading: How a CISO Can Be a Change Agent Within a Company
