Andrew Wild, CSO of Qualys, answers a few questions about how Chief Security Officers can improve their acceptance into the C-suite.
The Enterprisers Project (TEP): Are CSOs and CISOs gaining acceptance in the C-suite? (and is there a difference between those two titles?)
Wild: I do believe that the role of security chief, regardless of the specific title, is gaining acceptance in the C-suite, however, it is still true in many organizations that the security leadership depends upon the CIO for exposure and access to the C-suite and board. As to the difference between the role of CSO and CISO, in my experience, these terms are often used interchangeably, although some organizations have both a CSO and a CISO. In those cases, the CSO may be responsible for physical security as well as information security, and the CISO may report to the CSO. Organizations that combine the responsibilities for physical security and information security are said to have a “converged security organization.”
TEP: Are corporate leaders more open to learning about security than they once were?
WILD: I do believe that the amount of influence and role of the security chief is rising as information security continues to gain attention at the board level as a component of an enterprise risk management program. There are several reasons why interest in information security is rising, but the two main reasons are the SEC’s continued guidance about disclosing material information about information security events, and the never ending headlines about data breaches. Both of these are viewed at the board level as risks that should be managed, and they are driving changes in how organizations manage and implement information security. As a consequence, the C-suite is more aware and focused on information security in many organizations.
TEP: Does the increased interest level mean information security chiefs need to change how they do things?
WILD: The board level interest requires a risk-based approach, and infosec leaders must embrace this and move away from a security controls focused approach to information security. That’s not to say that security controls aren’t important, because they are, but, from the top down, the focus needs to be on risk management. A critical component of implementing a successful risk-based approach is building strong relationships with business units, approaching them in a consultative manner to offer assistance and guidance.
The migration from a security controls-based approach towards a risk-based approach can be a difficult transition. One step in this process may be re-evaluating all existing security controls to identify the risks the controls are designed to mitigate, and evaluate their effectiveness and cost efficiency against the potential loss exposure associated with the risk. In the long run, though, having the security controls mapped to the risks they are designed to mitigate can bring more transparency and understanding to the information security budget.
Another important point about moving towards a risk-based approach is determining who “owns” the risk. Ideally, the business unit that owns the project, process, solution or product will own all of the identified risks associated with it. This is where the security chief’s influence and consultative skills come into play; the security chief will provide guidance and direction about how the information security risks can be mitigated or reduced through the use of controls. The security organization may end up owning the implementation of the security controls selected to mitigate the risk, but fundamentally, the risk itself is owned by the business.
TEP: What are the biggest stumbling blocks for CSOs/CISOs when dealing with the C-suite?
WILD: Many security chiefs try to communicate with the C-suite and board using information security terms, as opposed to what the C-suite and board really wants to know, which is: “Are we managing risks adequately?” Security chiefs often present detailed charts with metrics explaining the effectiveness of security controls. While that can be a component of the message, the real content should focus on the risks themselves and not on the security controls. Communicating with the board and C-suite about risks is part of the transition I mentioned earlier from a security controls-focused program to a risk-based program. The C-suite and board need to understand how well the organization’s risk management program is functioning, and a chart that indicates how many malware incidents were identified and remediated over time may not be the right metric to share. Instead, provide information about the effectiveness of the processes through which risks are identified. Explain how risks are measured, qualified, or quantified. Describe the processes that identify and implement effective controls for risks, and for periodically assessing how effective these controls are.
For more on security read, "How do you verify security of external systems?"
Andrew Wild is CSO of Qualys, which provides network and cloud security, and legal compliance software.