The challenge in selling security

CSOs say they have a hard time getting their ideas accepted from the board level on down.

CSOs acknowledge facing a challenge in getting their ideas accepted from the board level on down. This is despite a general recognition by organizations today that better security and risk management are needed to protect company data.

First in a four-part series on the toughest security issues affecting the enterprise.

The job title on your business card might read CSO or CISO, but that may count for less than expected in having your ideas on network security accepted by the rest of the organization.

"We have a problem in our industry that the typical CISO is not 'chief' of anything," says Jon Gossels, president of System-Experts, a Sudbury, Mass., consultancy specializing in network security. "The CISO is mainly an overpromoted technologist."

While CSOs surely aren't seen that way everywhere, they do acknowledge facing a challenge in getting their ideas accepted from the board level on down. This is despite a general recognition by organizations today that better security and risk management are needed to protect company data, and adhere to new government and industry rules.

This topic will be among those on the agenda at The Security Standard summit, an IDG Executive Forum being held Sept. 6 and 7 in Boston.

Paul Simmonds, CISO at ICI, the U.K.-based paints and specialty chemicals supplier, contends that you can win the battle at the corporate board level for investment in security projects by methodically assessing the corporate security posture and proposing improvements in financial terms.

"Return on investment and board communications have to be argued in money," Simmonds notes. "It costs us this much not to do it, this much for solution A with these risks and benefits, this much for solution B with these risks and benefits, etc."

He adds that many security managers "have no formal business training; they typically came via the IT route," and thus may not be well prepared to speak in financial terms. Or they don't find ways to measure security to have the hard numbers to make the ROI case.

Consultants suggest starting with some known ways to quantitatively measure how the organization is doing in terms of its security.

Tom Walsh, a consultant in Overland Park, Kan., recommends CISOs refer to the National Institute of Standards and Technology's (NIST) "Risk Management Guide for Information Technology Systems."

This document is also known as NIST Special Publication 800-30. It's a great framework for analyzing system characteristics in hardware, software, network equipment and mobile devices in order to determine a "risk score," Walsh says.

"Everything is risk-based or compliance-based," he says. "Risks are rated by likelihood and impact."

The purpose of this risk analysis is to inform business managers "and help them make that business decision," Walsh says. "Give them choices, costs and risks. It's a step we all tend to miss."

When there are hundreds of applications in an enterprise, the problem can be determining ownership of the system.

"Once you know what the data owners want from you, you can put together a budget," Walsh says. "Security is a business. We have to run it like a business. Unfortunately, most of us come from an IT background."

At SystemExperts, Gossels also favors standards as a basis for review. But his favorite is British Standard 7799, adopted as the international ISO standard 17799, as a baseline for defining security within the organization.

"There are 11 topics contained in the standard, which is more about process than controls and whether there are appropriate policies in place," Gossels says. "The CSO can present this to management and say, 'Here's how we measure up, and here's where we need to invest.' "

BS7799/ISO17799 can be a basis for certification through a specialized audit. Certification has gained more acceptance outside the United States, Gossels notes, adding the main advantage in defining enterprise security through the standard is that it's a well-respected framework internationally.

ICI's Simmonds says the BS/ISO standard "helps get the good practice in place that will allow you to gather the information."

He says the drawback to the NIST standard is that it's not recognized outside the United States.

Simmonds recommends that CSOs and CISOs avoid droning on about the standards when approaching senior management for funding in security. Otherwise, you run the risk that "their eyes glaze over," he says.

Andre Gold, director of information security at Continental, agrees with Simmonds that trying to discuss BS7799/ISO17799 or the NIST standard to upper management is probably a thankless endeavor.

Instead, a bit of artful psychology is needed in discussing security technology with upper management. "Instead of communicating security, what you communicate is how security can enable the business, make the business process more efficient, or safeguard the business," he says.

When bringing up the topic of VPNs, he doesn't discuss the technology per se, but describes the effect of using it.

"For example, by leveraging business-to-business VPN tunnels across the Internet, organizations can reduce telecom costs, ensure the integrity of the data exchanged and gain efficiencies by leveraging existing infrastructure," Gold says.

He advocates expressing security concepts in what he calls "referential business blocks" that upper management can easily understand, but which also form the basis for a security-deployment framework.

Learn more about this topic

CSOs exchange ideas

06/28/05

Oracle's security chief lambastes faulty coding

05/25/06

Thomson CSO gives network security lowdown

12/13/05

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies