Josh Thomas //
Editor’s Note: Recently on Twitter, we asked our followers “What’s the hardest thing to get your C-level to understand regarding security?” The answers came in like a roaring flood! Hopefully, this helps you towards a path that helps improve your relationship with your c-level and in return alleviate some of those frustrations.
One of the more challenging things that those of us working in the cyber security/information security realm routinely face is convincing the C-Suite of the value that we bring to an organization and how we can play a vital role in an organization’s success. If we are lucky, we are working for a CISO who understands the evolving threat landscape and has the ear and support of a CEO/CIO/CFO/CMO/C-something or other. If we aren’t so lucky, we are faced with pushback, intense scrutiny about the projects we pursue to improve our organization’s security posture, and even worse, contempt! “Why are we paying these cyber guys big buck$ and why are they always asking for more budget! Don’t they know they are a cost center!” This is probably a reaction we’ve all run up against at one point or another.
So, what are some things, we as a profession can do to improve the understanding with the C-Suite as to why security is important? See below for some of my ideas.
The People Problem
Anyone who’s spent more than five minutes in an InfoSec role has seen it. Most of us have restless nights because of it. More often than not, organizations simply don’t have enough people trained to do the job effectively. This leads to employee burnout and disgruntlement. There isn’t a more dangerous scenario that comes to my mind than a disgruntled security analyst with DA creds. At the C-Suite level, it’s imperative that they understand running thin on staff ultimately leads to people walking out the door. An analogy that I will often use with any level of management is this, you have to staff an InfoSec team like a fire department. Now, this may mean that you have a team that isn’t at 100% utilization 100% of the time and that’s ok. When “down” time exists, it creates the perfect opportunity for the staff to update and review procedural documentation, get familiar with a new technology suite, etc. You know, typically, those tasks that get pushed to the back burner when we are at 100% utilization. Getting back to my analogy, while there are often times firefighters are hanging out at the fire house, cleaning gear, washing the truck, and working out, when the call for a five-alarm fire comes through, the team is ready to go. Staffing an InfoSec team should be thought of in the same way.
Security as a Differentiator
A CEO should think of a robust security program as an opportunity to turn a “cost center” into a “profit center”. While I would not suggest that a CEO release a press statement asserting their organization is infinitely secure and “hacker-proof” the C-Suite should use their respective organizations investments in information security as an opportunity to establish an increased level of trust with their customers and suppliers and as opening to outpace their competitors. And this shouldn’t stop with complying with the alphabet soup of regulations and compliance frameworks. It is imperative to demonstrate that an organization has internally established vulnerability management programs, submit themselves to routine internal and external pen tests, have a well-defined (and tested!) Incident Response program, etc., etc. These characteristics and capabilities can and should be leveraged to attract new business, and set that level of trust with clients, partner organizations, and future customers.
Not Set & Forget Proposition
Probably one of the larger misconceptions that plague the C-Suite is that if an organization is secure today, they’ll be secure tomorrow. The sad reality that we all know all too well is that the threat landscape is more volatile than the stock market. It’s our job to educate our C-Suite on that dynamic and harsh reality. More importantly, we have to help them understand that being proactive and having systems in place to combat an ever-changing threat landscape ultimately leads to better protection of the corporate enterprise and is one facet to help ensure business continuity and minimal interruption to revenue streams. Nothing will get the C-Suites attention quicker than walking them through multiple scenarios where the revenue stream is interrupted.
It’s all too easy for us security folks to want to hide out in our cubicles and ruminate on how misunderstood our profession is amongst those at the top. But don’t! work to open up the lines of communication with your organizations leadership. Work to implement policies that balance security with business objectives throughout your organization. Become a trusted advisor. Hear about a new software development project in the works at the water cooler, make some casual suggestions on some of the latest secure coding practices. Oftentimes these informal conversations can lead to a fundamental shift in the way an organization does business and can help establish the need to bring security to the table at the onset of any new project. Demonstrating that “you’re on the team” and are sensitive to the needs of the business can go a long way in establishing an InfoSec team as a “trusted insider”, operating with the businesses best interests in mind.
We get it, training dollars can be scarce, but it’s an absolute necessity. How do we demonstrate a Return on Investment with training dollars? One way is by taking a train, the trainer approach which can go a long way in expanding knowledge throughout an enterprise. Staff members should come back from a training event and impart their knowledge to other members of the team. While sending a staff member to a week-long training course on any one technology is great. It’s critical that knowledge doesn’t walk out the door when that staff member gets hit by the proverbial bus. Having documented “how-to guides” on all of the tools in the toolshed are used really helps address the knowledge gap that’s created when someone walks out the door. We should be sensitive to the fact that training is an investment that a company makes in us, we owe it to ourselves to not let those knowledge sit on the shelf and gather dust. Taking this approach helps justify the expense of future training opportunities to leadership. It’s the butterfly effect.
Tools and Automation
The perception that a new application is all it takes to secure a company’s IT infrastructure is shortsighted. While I don’t know a single IT/InfoSec guy who doesn’t like sitting in a dark room and configuring the newest firewall, IDS, DLP, you name it solution, the perception that your secure just because “We’ve got an app for that” is a dangerous one, and with new technology comes new challenges. InfoSec staff can help change that mentality by mapping out threat scenarios to each layer of the security onion. Being able to demonstrate to leadership what is negatively impacted when any one layer of defense is not in place helps to alleviate this. Having a security architecture in place, that ties to specific threat scenarios gives the C-Suite a much better understanding of their risk profile and shows where defensive gaps exist. It’s on us to help steer them away from the “We’ve got an app for that” mentality and being able to communicate that to them succinctly and in a way that shows the negative impact to the bottom line is usually pretty effective.
Owning the Risk
Much like the Captain of a ship is responsible for every aspect of operations on the ship. The C-Suite, and more specifically, the CEO are tasked with the responsibility for all operations within their respective organization, to include security. Turning a blind eye to the possibility of cyber intrusions is not only negligent, it’s dangerous. It’s important that they understand that it’s not a matter of if they’ll be attacked, it’s a matter of when (if not all already) and how the organization reacts when an attack is identified. Having established security protocols may keep the companies name from becoming the lead-in story on the nightly news. And should that happen, the C-Suite needs to have a Public Relations plan in place for managing the media… That plan is just another layer of the security onion!