The Security Scrutinizer with Howard Anderson

CISOs: Building Credibility Insights on How to Gain Clout
CISOs: Building Credibility

Chief information security officers looking for a way to build credibility with senior executives - and win funding for important projects - need to drop the "just say no" approach and build a reputation as a team player, says Ray Davidson, a professor at the SANS Technology Institute. The institute offers graduate degrees in information security.

See Also: Protecting Your Assets Across Applications, Services and Tiers

One way to do that, Davidson says, is to skillfully handle the bring-your-own-device issue.

You get credibility by demonstrating that you have subject matter expertise and that you are a team player. 

CISOs need to look for ways to accommodate staff members' BYOD needs while ensuring security, the professor told me in an interview following a Feb. 25 presentation on leadership skills at RSA Conference 2013 in San Francisco. Rather than saying no to BYOD, CISOs need to tell senior executives: "We can do this, but here's how we need to do it, and if we don't take these precautions, here are the risks and the potential costs."

During his presentation, Davidson noted: "BYOD has been around for years; we're just now acknowledging it. If you get in the way of people, they are still going to do what they think they need to do to get their job done."

And these "work-arounds" could create substantial security risks, he added.

That's why it makes much more sense to carefully craft a BYOD policy.

Winning Support

Winning support for funding of security investments requires credibility, Davidson stressed in his post-presentation comments. "You get credibility by demonstrating that you have subject matter expertise and that you are a team player."

Taking a team player approach - such as by finding ways to accommodate BYOD and other staff requests - makes it easier to win victories when advocating bigger security budgets, Davidson said.

When advocating for more security spending, "Knowing your audience is the most important thing," he said. "You need to be in touch with the goals of the business. How will security enable the business?"

CISOs must take an innovative approach toward portraying the value proposition of security, such as by quantifying the potential cost of a data breach or downtime caused by a hacker attack, Davidson said.

While security isn't a profit center, a lack of security can be a source of significant losses. That's the message that needs to be stressed. And a CISO with credibility will have an attentive audience.

Look for more blogs, interviews and articles from RSA Conference 2013 throughout the week.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network