CISOs Balance Risk, Tech ObligationsNew Study Assesses Evolving Role of Security Leaders
As security leaders continue to have a growing influence at the C-suite executives and boards of directors, they need to overcome communication challenges, says IBM's David Jarvis.
The good news: Security leaders generally have good working relationships with their boards and top executives, says Jarvis, manager at the IBM Center for Applied Insights, who discusses the results of an international study of chief information security officers.
"They communicate with them regularly, on average once a quarter," Jarvis says in an interview with Information Security Media Group [transcript below]. "They talk about risk. They talk about budget with them."
But where CISOs can continue to improve is in how they communicate with the C-suite, he says.
"CISOs have to do a really good job getting past the technical jargon and language, even though they really have to be expert in those area," Jarvis says. "We can't forget technology when we talk about risk. But [CISOs] have to wear the second hat and be business-savvy to be able to communicate those complex, technical security problems."
Another challenge for CISOs is to address deftly the different security concerns of each senior executive, Jarvis says.
"A CEO might be worried more about customer trust or the overall perception of the business," he says. "CFOs are going to be worried about financial loss due to some sort of security incident or breach. COOs are going to worry about operational downtime if the website goes down."
Those different worries present a real hurdle for security leaders, Jarvis says, because they must figure out how to "address those diverse business concerns, how to do that well and how to build that trust and have that communication."
Among the main findings of the study:
- Nearly 70 percent of security leaders surveyed say they develop their security strategy in conjunction with other business strategies;
- 80 percent say they're aware of the security concerns of the CEO;
- 71 percent track the impact of security to the overall risk to their organization; and
- 30 percent plan to develop an enterprise strategy for bring your own mobile device and 29 percent have already done so.
Jarvis was named in September as manager at the IBM Center for Applied Insights, which conducts research and provides analysis of new ways to provide leadership on implementing IT and IT security. He previously worked at the center for three years, leading a number of research projects on the roles of CISOs and chief information officers. He is an adjunct faculty member in the Business Studies and Economics department at Salve Regina University in Newport, R.I.
ERIC CHABROW: Take a few moments to summarize the main findings of your study.
DAVID JARVIS: This is our second CISO assessment. We did our first one last year and it came out last May. In that assessment, we looked at categorizing and describing different maturity levels for security leaders. This year, we wanted to go deeper and understand practices and what the mature security leaders are doing to make themselves more successful.
We looked at three different areas: business practices, technology and measurement. From a business practice standpoint, we heard from the interviews that we did as part of the assessment that a strong strategy and policy is extremely important, [along with] comprehensive risk management, really good business relations focusing on building trust and building relationships, and then good communications. That came up again and again. We asked people what advice you would give new security leaders or new CISOs. What have you done that has made yourself successful? But there are also business talents there as well. We asked them in their dealings with their board and their C-suite what they were worried about. The good news is that a lot of those security leaders we talked to have good relationships with their board and with their C-suite. They communicate with them regularly, on average, once a quarter. They talk about risk. They talk about the budget with them.
What I don't think is surprising ... is obviously every member of the C-suite has a different security concern, and the security leaders realize that. A CEO might be worried more about customer trust or the overall perception of the business. CFOs are going to be worried about financial loss due to some sort of security incident or breach. COOs are going to worry about operational downtime if the website goes down. I don't think that's surprising, but I think it highlights a real key challenge that maybe not all security leaders realize - addressing those diverse business concerns, how to do that well and how to build that trust and have that communication. That came up over and over again in the interviews that we conducted.
CHABROW: If I recall looking at the survey for CISOs, they were all over the place, correct?
JARVIS: They were pretty much worried about everything. They didn't really have one specific area. They were worried about breaches. They were worried about budgets for security deployments. They were worried about integrating security into the overall IT architecture.
C-Suite's Concern over Information Risk
CHABROW: The survey shows that nearly six in ten of the security leaders surveyed said that when they met with top corporate leaders, they discussed identifying and assessing risk. What does this say about the evolving role of the CISO as well as the top executives and board members when it comes to information risk?
JARVIS: What we found out last year is that the C-Suite and board are increasingly worried about the risk that comes from information security or just managing IT systems in general. CISOs have to do a really good job getting past the technical jargon and language, even though they really have to be expert in those areas. We can't forget technology when we talk all about risk and business relations. But they also have to wear the second hat and be business-savvy to be able to communicate those complex, technical security problems and put them into the language that the business can understand.
What we found is, from a measurement standpoint, even though a lot of the security leaders were challenged by this, they were having trouble getting these more technical security metrics, translating and converting them into the financial impact to the business for integrating them deeply with business risk metrics. Some of the folks that we talked to, information security might be a couple of line items and an overall risk assessment, but the really mature ones in the best practices and the leading practices I think are those that can integrate those IT risks and those security measures into the overall risk process.
Blending IT with Overall Risk
CHABROW: Do you have any sense of how organizations are successful in integrating them? Are there different people involved in determining how information risk works with business risk?
JARVIS: I think that some businesses divide up the responsibilities a bit more. The CISO might be very focused on IT security and the technical side, and they might have a risk officer that they work with that might be a bit more blended. One of the case studies that we have in the report highlights a good practice for this, and they were really integrated into the risk process from the beginning and they looked at all these different business processes across the organization. As part of the risk management process, they identified what the IT security risk is. What happens if we lose one of these processes because of a security incident or a breach? How fast do we need to recover and what is it going to cost the business? Putting it into those business measures and sitting at this table for all of these conversations is important.
Awareness Is Increasing
CHABROW: You just have two years' worth of surveying. ... Is there more of an involvement in information risk with the CISO or is the CISO bringing on other people to help?
JARVIS: Like you said, we've only gone over this for the past two years. I think it's a definite trend. I think that the awareness is increasing. I couldn't tell you that X percent were focused on it last year and X percent were focused on it this year, but I do know that in the survey this year, when we asked how do you spend your time, the folks that we interviewed said about a quarter of their time was still spent on technology evaluation. But at the same time, a quarter of their time was also focused on risk management. That's extremely important, and it will be interesting to see how that changes over time. I think the desire is there. I think the business needs it and I think that the industry is slowly shifting in that direction.
CHABROW: Let's talk about the technology. Both years, mobile was highly ranked, if not the top ranked technical concern of CISOs. What's different about their concern last year versus their concern this year?
JARVIS: Last year we looked at it from a very high-level perspective and compared it. Are you more worried about mobile? Are you more worried about cloud? Are you more worried about database security? This year we got to go into a little bit more depth. What surprised me a little bit, but not completely, was the fact that mobile moved so rapidly up the list of critical technologies that security leaders see. When we ranked 14 different technology areas, mobile security was considered the third or fourth top security technology area. It bounced up pretty rapidly. We don't have anything to compare to from last year, but I think just placing it up there above some other technology areas shows how much attention is being paid to it. It was the No. 1 technology area that the folks that we interviewed are investing in, and about 25 percent of the folks that we interviewed had invested significantly in mobile security technology over the past 12 months; and that was the No. 1 area. ...
CHABROW: It's not if we're going to do it; it's just how we're going to do it.
JARVIS: Exactly. I think it's just how fast and if we're going to get there. That's one of the challenges that we called out. Security leaders are addressing the foundational technology elements. They're getting their inventory devices that access the corporate network. They're installing mobile management capabilities. But where I think the gap still [exists] is when it comes to personally owned devices and BYOD. The Internet response policies or just effective overall enterprise strategies aren't there yet. We found out that it's not that security leaders don't know this. I don't think the security leaders have gotten to that point yet where they can spend the time and develop those effective strategies.
CHABROW: Is it because it's been so rapidly thrown upon them that they haven't had the time or are there other reasons?
JARVIS: That's what I believe ... because the interest is there now; the investment is there now. But some of the policy areas are lagging. I think it's the rapid nature of it.
Versatile Security Leaders
CHABROW: Any final thoughts?
JARVIS: In general, there's so much going on in this space and in this field that I think security leaders are really being driven to become more versatile. They have to wear many hats. Obviously the threat is out there, but I think the attention is out there as well. Having these leading practices, meeting with other people within your industry to talk about leading practices to get the conversation started and sharing information where you can I think is going to raise the overall game of the industry.
CHABROW: I don't know whether you can make this kind of assessment or not based on the assessment that you've conducted, but do you feel that the CISOs you speak to are up to the job or do you think they need more support?
JARVIS: Obviously there are some pretty critical skills shortages out there. We didn't talk too much about skills or skill shortages in the assessment, but I think if you read the popular press and trade journals there are some pretty significant gaps in resources and skills. Security leaders that at least we talked to realize that this transformation is really taking place. They do feel that they're up to it; I just think some of them would probably say that they obviously need more resources or need more skills.
CHABROW: What are the skills? Are they things like better communications?
JARVIS: When we talked to a lot of mature security leaders, communication always comes up as number one. Being able to effectively communicate is a key skill and I think it's mandatory.