Dealing with business and executive managers has been a persistent occupational hazard for security professionals. Business managers didn’t want policy enforcement to get in the way of business productivity. CEOs and CFOs tended to eschew “good security” for “good enough security.” The biggest role they played here was that of budget cutter.
This minimalist attitude toward cyber security appears to be changing. According to ESG research, 29% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) say that executive management is, “much more engaged with information security situational awareness and strategy,” than a year ago while another 40% of enterprise security professionals say that executive management is, “somewhat more engaged with information security situational awareness and strategy,” than a year ago.
Why the change? CEOs are reading about cybersecurity incidents in the Wall Street Journal and watching share prices of breached companies plummet. The Google Aurora security attack of 2010 and subsequent wave of APTs were also a wake-call for business mucky-mucks that nation states and competitors may be stealing their intellectual property from under their noses. Whether they like it or not, CEOs now realize that they have skin in the cybersecurity game so they better be prepared.
Okay, so the good news is that the suits on mahogany row are finally paying attention. Here is a short list of what this means to the information security community:
1. CISOs need to work on their business chops. Security executives will be called upon to brief executives and boards more frequently. This means that they have to communicate in business rather than technical terms. Yes, IT risk is a key topic here but CISOs should also think about industry risk, business process risk, cyber supply chain risk, etc. This may lead to a bifurcation of the CISO role with one business security officer and another chief security technology officer.
2. CISOs should engage business executives to focus on the right metrics. First of all, executive managers will need to be educated. Not on firewalls and IPSs but on overall threats, vulnerabilities, controls, and security oversight. These concepts should then be presented in an industry, company, and critical business process context. Only then can CEOs and CISOs define budgets, priorities, and critical metrics.
3. Security dashboards will need to accommodate a business view. As we rapidly move to continuous monitoring, some of the reports, graphics and metrics should be tailored to a business rather than technology role.
4. Security technology will emulate the Business Service Management (BSM) space. Companies like BMC, CA, Compuware, HP, and IBM used to provide software around network equipment alerts and traffic monitoring. This all changed when they started monitoring end-to-end performance of business systems. This will happen with security as well. The business manager responsible for on-line banking will want to understand risks across the whole enchilada of customer-facing applications and infrastructure – not the firewalls that act as a geeky perimeter guard.
5. Vendors who straddle business and technology systems have the best opportunity ahead. This includes business consultants, system integrators, and enterprise technology providers. I can easily see the highly skilled but wonky government integrators like Boeing, Booz Allen, Lockheed-Martin, Raytheon, and SAIC pushing more into the commercial sector. It wouldn’t surprise me if companies like Oracle and SAP jumped in as well.
Security is hard and getting harder. I’m glad executives are paying more attention but they may not like it when they find out that their security infrastructure was built on a shoestring budget and they are ill-prepared for today’s threats. The year 2013 is likely to be a nail-biter.