The business of security is business

June 10, 2015 Dan Holden

Compass needle pointing the word security. Concept image blue and black tones

With many calling the last year or more ‘the year of the data breach,’ corporate security teams are on notice. They face a wide range of threat actors, from nation-state cyber espionage to highly skilled patient attackers for hire, down to home gamers and nuisance attackers.

Corporate IT and security teams are feeling the pressure of this dynamic threat landscape. They know they’re being targeted and that they are vulnerable. A CISOs challenge today is incredibly difficult. Two monumental structural changes, mobility and cloud computing, have transformed their networks from well-defined and protected “walled gardens” to distributed collections of third party partners, with varying degrees of security capabilities. Today, essentially, the Internet is the corporate network.

According to the Ponemon Institute, 44% of retail organizations alone are experiencing upwards of 50 significant attacks per month; that percentage jumps to 83% for financial organizations who participated in the study. Perhaps even more worrying is that less than 17 percent of businesses globally are fully prepared for an online security incident according to research by the Economist Intelligence Unit (EIU) sponsored by Arbor Networks.

This comes at a time when executive and board-level awareness of these threats is already pronounced. If the CISO is unable to communicate in terms the executive team and board understand then they don’t get the appropriate level of support that is needed. This executive and board-level awareness of the threat landscape means CISOs have an opportunity to champion their own role as risk managers and defenders of the business. If CISOs are to deliver an understandable call to action and gain the credibility to push their strategic plans, they need to deploy a range of tactics to make their voices heard including:

Make security relevant for management: The CISO must communicate threats in a way that the leadership team understands. This is a tremendous opportunity for the CISO to position his/her role as beyond technology, but to the broader role of corporate risk management. By showing leadership and engaging proactively with other heads of department, CISOs can show how their specialist expertise adds a ‘return on prevention’ to the business.

Know your audience: If you get time with the CFO and talk botnets, you’re likely to see their eyes glaze over faster than you can say Distributed Denial of Service (DDoS). The primary message a CISO needs to convey is the threat that attacks of any kind pose in terms of lost revenue, reduced productivity and damage to the brand. A Chief Legal Officer will be interested in the regulatory and compliance aspects of a breach. The CIO is likely to be closely aligned with security risk to begin with. As such, the CISO’s role here is help the CIO deliver their technological vision for the organization. Know your audience and tailor the message accordingly.

Use specific examples: Keep it real. Make the key points relevant to your specific organization. Senior executives have little interest in theories or hypothesis. They are very interested in case studies, examinations of their business, and understanding the potential impact that these attacks can have on their business plans, financial goals or standing with regulators.

Without the proper level of understanding and buy in from the executives and Board, this is a recipe for disaster for the CISO, and the organization. Today’s effective CISO is a business person first, a communicator second and technologist third. This is a fundamental transformation that is taking place in organizations around the world. Those that succeed will be able to work with the executives and Board in a way that is meaningful and that ensures support and funding required to protect the business.

The post The business of security is business appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
Don’t assume, and other great life lessons
Don’t assume, and other great life lessons

Early on in life, most of us were told, never assume. I’m frequently...

Next Article
Connecting the dots: Business benefits of threat hunting
Connecting the dots: Business benefits of threat hunting

Security Organizations can no longer keep up with the volume of security...