Chief information security officers looking for a way to build credibility with senior executives - and win funding for important projects - need to drop the "just say no" approach and build a reputation as a team player, says Ray Davidson, a professor at the SANS Technology Institute. The institute offers graduate degrees in information security.
One way to do that, Davidson says, is to skillfully handle the bring-your-own-device issue.
You get credibility by demonstrating that you have subject matter expertise and that you are a team player.
CISOs need to look for ways to accommodate staff members' BYOD needs while ensuring security, the professor told me in an interview following a Feb. 25 presentation on leadership skills at RSA Conference 2013 in San Francisco. Rather than saying no to BYOD, CISOs need to tell senior executives: "We can do this, but here's how we need to do it, and if we don't take these precautions, here are the risks and the potential costs."
During his presentation, Davidson noted: "BYOD has been around for years; we're just now acknowledging it. If you get in the way of people, they are still going to do what they think they need to do to get their job done."
And these "work-arounds" could create substantial security risks, he added.
That's why it makes much more sense to carefully craft a BYOD policy.
Winning support for funding of security investments requires credibility, Davidson stressed in his post-presentation comments. "You get credibility by demonstrating that you have subject matter expertise and that you are a team player."
Taking a team player approach - such as by finding ways to accommodate BYOD and other staff requests - makes it easier to win victories when advocating bigger security budgets, Davidson said.
When advocating for more security spending, "Knowing your audience is the most important thing," he said. "You need to be in touch with the goals of the business. How will security enable the business?"
CISOs must take an innovative approach toward portraying the value proposition of security, such as by quantifying the potential cost of a data breach or downtime caused by a hacker attack, Davidson said.
While security isn't a profit center, a lack of security can be a source of significant losses. That's the message that needs to be stressed. And a CISO with credibility will have an attentive audience.
Look for more blogs, interviews and articles from RSA Conference 2013 throughout the week.