The Business of Security Is Business

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wired.com/2014/12/the-business-of-security-is-business/

Today’s security landscape feels more like a James Bond movie than normal
life. International intrigue is now a standard equation for any large-scale
cyber-attack, as we’ve seen recently with the Sony breach and the potential
for North Korea being behind it all. Events like this are great fodder for
politicos and make for glib and gossipy water cooler talk about the latest
celebrity leaks, but they obscure the real dangers just beneath the
surface. What if skilled, persistent attackers targeted critical
infrastructure like the water supply or electric grid, rather than a
Hollywood studio pushing a silly movie? What if they targeted your business?

With many calling 2014 the year of the data breach, corporate security
teams are on notice. They face a wide range of threat actors, from
nation-state cyber espionage to highly skilled patient attackers for hire,
down to home gamers and nuisance attackers.

Corporate IT and security teams are feeling the pressure of this dynamic
threat landscape. They know they’re being targeted and that they are
vulnerable. A CISOs challenge today is incredibly difficult. Two monumental
structural changes, mobility and cloud computing, have transformed their
networks from well-defined and protected “walled gardens” to distributed
collections of third party partners, with varying degrees of security
capabilities. Today, essentially, the Internet is the corporate network.

According to recent research by PwC, the number of reported security
incidents around the globe has risen 48 per cent in the last year. However,
what is more worrying is that less than 17 per cent of businesses globally
are fully prepared for an online security incident according to research by
the Economist Intelligence Unit (EIU) sponsored by Arbor Networks.

This comes at a time when executive and board-level awareness of these
threats is already pronounced. If the CISO is unable to communicate in
terms the executive team and board understand then they don’t get the
appropriate level of support that is needed. This executive and board-level
awareness of the threat landscape means CISOs have an opportunity to
champion their own role as risk managers and defenders of the business. If
CISOs are to deliver an understandable call to action and gain the
credibility to push their strategic plans, they need to deploy a range of
tactics to make their voices heard including:

Make security relevant for management: The CISO must communicate threats in
a way that the leadership team understands. This is a tremendous
opportunity for the CISO to position his/her role as beyond technology, but
to the broader role of corporate risk management.

Know your audience: If you get time with the CFO and talk botnets, you’re
likely to see their eyes glaze over faster than you can say Distributed
Denial of Service (DDoS). The primary message a CISO needs to convey is the
threat that attacks of any kind pose in terms of lost revenue, reduced
productivity and damage to the brand. A Chief Legal Officer will be
interested in the regulatory and compliance aspects of a breach. Know your
audience and tailor the message accordingly.

Specific examples: As the kids say these days, keep it real. Make the key
points relevant to your specific organization. Senior executives have
little interest in theories or hypothesis. They are very interested in case
studies, examinations of their business, and understanding the potential
impact that these attacks can have on their business plans, financial goals
or standing with regulators.

Without the proper level of understanding and buy in from the executives
and Board, this is a recipe for disaster for the CISO, and the
organization. Today’s effective CISO is a business-person first, a
communicator second and technologist third. This is a fundamental
transformation that is taking place in organizations around the world.
Those that succeed will be able to work with the executives and Board in a
way that is meaningful and that ensures support and funding required to
protect the business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!