Unfortunately, 2015 saw some seriously impressive information security hacks, the likes of which included those at major companies and entities like VTech, T-Mobile, the FBI, and even Trump Hotels. The silver lining? At the very least, hacks involving large organizations such as these garner tons of media attention and headline time, which brings awareness to the growing urgency of greater information security. But security executives like CISOs and CIOs still struggle to see eye-to-eye with non-security executives on the matter.
The two camps have different philosophies about information security. Executives see it as an IT issue, technology issue, or even an inconvenience, and maintain their focus on shareholder returns. CISOs, on the other hand, recognize information security as an organizational issue that deserves the same level of attention (and budget) as financial risk or any other type of risk management.
Middle management is an even tougher crowd to wrangle. Under the weight of constant pressure to get projects done by their deadline and under budget, middle managers look for all possible shortcuts (like not using passwords) and take more risks to ensure their team’s performance meets the expectations of upper-level management.
Despite all signs pointing to the worsening of security breaches, the fact remains that there clearly is a disconnect between middle management, top-level executives, and CISOs—and the problem is becoming increasingly frustrating. Here are some tips on how CISOs can work with other executives to better manage risk:
1. Properly Educate Your Organization
Most executives are fully aware that information security is important, but it’s a vague understanding that doesn’t translate to supportive measures. CISOs can garner greater support by properly educating their organization on the spend of information security, as well as how it affects the implementation and deployment of different initiatives. In other words, make the information you provide relatable—like how information security risks directly impact shareholder returns, funding, and regulatory compliance. Education should also include information about security trends and the true risk of insufficient information security.
Sometimes using the FUD approach (fear, uncertainty and doubt) can spark initiative in executives. However, fear of the unknown should not be the driver of how you handle information security risks. Be accurate in the data you present, and keep statistics relevant to your industry.
2. Be Business-Minded
CISOs tend to spend the majority of their time focusing on the latest information security trends and risks. Obviously, this is a good thing. But they should also dedicate time to learning the vocabulary of their organization’s business, and forming relationships with executives (Infosec aside). Learning the business strategies and objectives will help the CISOs tie information security risks to the business. For executives to invest in the concerns of a CISO, a CISO must also show investment in the pain points of their executives.
3. Give Executives a Say in Security
Let executives play a part in decisions involving information security. It’s an effective way to get them to connect emotionally with the issue; if they are part of the decision, it’s far more likely that they will follow their rules and procedures and inspire others below them to do the same. One way to accomplish this is by creating an information security governance committee. On this committee, the CISO’s job will primarily be to present different information security issues and risks, and guide conversation on possible solutions. Include relevant facts and information related to the current state of your organization, and discuss the potential impact security issues may have on the organization at large.
4. Make Security User-Friendly
The harder security makes everyone else’s job, the less likely it will be adopted. Wherever possible, make security user-friendly. For example, create a single sign-on password set-up for the network instead of requiring employees to use several, very complex passwords. CISOs must work toward their goals and the goals of their fellow users. Enhancing productivity and efficiency while protecting data is the delicate balancing act they must master.
CISOs already know without complete adoption by the entire organization, security initiatives are likely to become sitting ducks. But when executives and leaders are on board and advocating for a security initiative, the measure is far more likely to take hold and stick. Take the necessary time to educate, build relationships and involve executives in decision making. Address some of their concerns in your information security risk management approach and try to think regarding business when possible.
About the Author
Debbie Zaller is a Principal at Schellman & Company,LLC. Debbie leads the SOC 2 and SOC 3 service line and is also an AICPA SOC Specialist. Debbie has over 15 years of IT attestation experience and currently spearheads Schellman’s SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.More Content by Debbie Zaller