About a month ago, ThreatTrack Security released a study showing that most C-level executives didn’t trust the cybersecurity capabilities in their own company. For instance, more than two-thirds of executives expressed concern on whether their company would be able to stop an attack or security threats. As Chet Wisniewski, senior security advisor, Sophos, said to me in an email:
Many executives are looking for definitive answers to their security problems and coming up empty. Either their staff is pressured into providing a guarantee, which turns out to be false, or they get wobbly answers that aren't terribly flattering to the technical teams. Either way companies get breached and hacked and confidence in the IT staff perpetually diminishes.
It sounds like a lack of communication exists somewhere along the line, and a Gartner analyst thinks the problem stems from the very person in charge of information security within the company.
Paul Proctor told the audience at the Gartner Security and Risk Management Summit in Sydney that CISOs become their “own worst enemy” when it comes to defending organizations from attacks – the CISOs take all the responsibility and let the rest of their executive peers off the hook. According to ZDNet:
As a result, Proctor said that CISOs find themselves arguing for more money from the board, and the board itself doesn't see information security as a risk-mitigating exercise, but rather as a continual payment for "perfect" security.
The solution, Proctor said, is to change the narrative. Instead of focusing on the money or even on the IT security aspect, security needs to be addressed as a business item and in terms everyone in the room can understand. He used the example of how IT downtime because of a security issue could result in disruptions in manufacturing (specifically, Proctor used a European car manufacturer).
I get what Proctor is saying and I agree with him that the discussion needs a new approach. The issue, however, is that CISOs and CIOs do tend to think in terms of IT and networking and have their own buzz words that a CFO or COO or CMO would not grasp. But the non-technical C-levels have to take responsibility, too, to understand what, exactly, the security strategy for their company is and why that strategy is in place. If a CEO or COO doesn’t know whether their company could stop a potential attack, they must ask themselves why they don’t know, and then they have to seek the answer. As Wisniewski explained to me so well:
Once you are able to separate computer operations from computer security you can begin to get a grip on what the true costs of security are and make better decisions as to the risks and rewards of building and securing new systems, as well as what work must be done to shore up your existing deployments. Depending on the situation insurance may be appropriate. Larger organizations can mitigate some risks through policy, but this should never be considered a way to buy your way out of doing the right thing.