What do executives at RSA, eBay, USAA and Accenture have to say about the top priorities for information security professionals? One key point is this: Building a sense of ownership for security across the enterprise is paramount.
Chief information security officers need to help develop "a deeper ownership across the business of everything that has to do with the security life cycle, says Eddie Schwartz, vice president and CISO at the security firm RSA. Companies need more "advocates for doing things the right way" in all departments, he stresses. Schwartz joined RSA last year shortly after the company experienced a sophisticated advanced-persistent-threat breach.
Security specialists generally don't understand crisis management.
Gary McAlum, senior vice president and chief security officer at USAA, a financial services firm, portrays the mission as "getting a sense of shared responsibility with our end-users" for security.
McAlum and Schwartz made their comments Feb. 29 in a panel discussion at the RSA Conference in San Francisco. The discussion provided plenty of food for thought for those who lead breach prevention and response efforts at organizations in all industries.
"Security specialists generally "don't understand crisis management," Schwartz says. "We're not used to managing that through."
He stresses that CISOs need to make sure their organizations take a multi-disciplinary approach to incident management, involving the legal department, human resources, marketing and senior leadership. "Clarity and honesty of communications has to occur at the most senior level of management," he says.
Dave Cullinane, CISO at eBay, says too many CISOs fail to regularly brief their CEOs on security issues. Cullinane provides regular updates to his CEO, including brief e-mails about security trends in the news. He also writes quarterly reports for the CEO and CFO.
"Annually, I make a presentation to the executive staff," he notes. "We quantify the risk of things efficiently so we can have a discussion of risk tolerance" and then determine the appropriate investment to make, given the current economic situation. An important aspect of those discussions, he stresses, is to consider the return on a security investment in terms of its value in preventing a costly breach.
When discussing security investments with executive leadership, it's important to stress the impact a security incident would have on the company's reputation and brand, McAlum says. "That's what drives it from the top down."
Schwartz calls on security professionals to "step back and say, 'What is it fundamentally that's wrong with security today in organizations like ours?" He says most organizations, for example, need to "use global threat intelligence more effectively and share information with others." He also notes that companies need to "improve the way we measure the effectiveness of our security programs."
Another significant challenge, McAlum says, is "how do you make security easy and transparent as possible for the end-user?" USAA is conducting research in this arena. "A lot of banks are doing the same thing."
But Bill Phelps, executive director of the cybersecurity practice at the consultancy Accenture, notes that "whatever we do today, technology is advancing quickly enough that a lot of it will be obsolete in a year or two."
Phelps says far more senior executives have top-of-mind awareness of security issues than just a year or two ago. Major breach incidents have led CEOs to have discussions "about the probability and consequences" of breaches. And that's good news, indeed.