Most CIOs are not security experts, but in the board room they need to be. Thanks to the CSO, , they don't have to go it alone. Behind the scenes, they can help prepare the CIO, offering advice on how to interpret the company's threat levels, boiling down the most relevant information and communicating it, early and often, so the C-suite will pay attention.
"The challenges when you take on the CIO role or an executive role are that you don't think all about security," said Michael Hart, vice president and CIO of Petwell Partners, during a panel discussion at CIO Perspectives Houston last week. "You rely on the CISO."
The panelists, which included IT and security executives, discussed common assumptions about security risks, ways to get your business colleagues to take those risks seriously and best practices to use at your companies.
When preparing for a board presentation or a meeting with C-level executives, the first thing a CIO should do is ask the CSO to bring the conversation about security down to the most basic level and put it into terms that everyone from the most junior employee to the CEO can understand. "You don't want to talk ISO speak. Learn to talk to the business," Hart said. "That's one of the challenges I have, to make sure all lines across the company are from the business perspective."
Next, to set expectations and shape the company's thinking, the CSO should provide context around today's risks and show how they are different from yesterday's challenges. Samuel Sutton, computer scientist at the FBI, Houston Cyber Squad, said the stakes are much higher in today's threat landscape. "It used to be about the single, lonely hacker just getting access," he said. "Now instead of getting access, it's 'how can I turn it into a dollar' -- that changes the ball game" he said.
Armed With Intelligence and Analysis
Another aspect of breaches today is that they are no longer being swept under the rug. "It used to be that the victims suffered this by themselves, isolated and alone," Sutton said. Today, thanks to intelligence, analysis and white papers, victims can educate themselves on how to handle a breach, he added.
[Related:Inside the Changing Role of the CISO]
Sutton also cautioned CIOs to not rest easy. Instead, assume you will be attacked and focus on the prevention and response plan. "The reality is that there are two networks out there, those that are hacked and those that [you] don't know are hacked," Sutton said.
Executives will likely pay less attention to the fact that there are many prevalent threats and more attention to how those threats could affect their lines of business. To prepare the CIO for that part of the conversation, the CSO should outline the impact of a security breach on the business in terms of hard cost and soft cost. Sutton recommended using examples of soft cost to show how a breach will affect the stock price, the cost of freebies to win customers back or the lag time of hiring a new C-suite executive.
Keith Turpin, CISO of Universal Weather & Aviation, suggested also looking at other breaches and how they affected businesses, then showing how those situations could shake out at your company. "It's a risk analysis," he said. However, he cautions CIOs to not protect everything the same way. "You'll run a resource exhaustion game."
Make Security Palatable for Business Leaders
Outside of the boardroom, security updates for the C-suite and business leaders should be digestible so they can fit it into their busy schedules. Hart said creating a one-page report that takes five minutes to read is a way to get on the CEO's radar. "It's about building the relationship long-term," he said.
Oberlaender agreed, "Address past, present and future -- and make a case for the CEO. Get on his radar with a weekly report and education." He also said it's important to create a program that C-suite executives can follow and include clear policies for employees to abide by. "Your company will have a breach sooner or later," he said. "So educate your executives that you can do something about it."
Lastly, it's critical to involve the legal department, which, Sutton says, can never happen too early. "Please get legal folks involved early on before your data is on fire," he said. "Help us, help you."