One new automobile rolls off the assembly line every 90 seconds. That means an hour of IT downtime results in 40 fewer cars being assembled. "So, they report less cars in inventory to their executives, not IT downtime," Proctor says in an interview with Information Security Media Group. "Their executives don't care about IT downtime; they care about cars."
In the interview, Proctor, chief of research for risk and security at the IT advisory firm:
- Discusses ways to eliminate a "culture of disconnect" in which executives see security as a technical problem that can be handled by IT.
- Addresses his research on how enterprises should rethink their approach to risk management and security.
- Provides tips to the other 70 percent of organizations on how they can develop a more effective, risk-based approach to security.
Proctor, a Gartner vice president and distinguished analyst, helps clients build risk and security programs that are aligned with business needs. His coverage includes risk assessment and governance-regulatory-compliance technologies. His research in risk-adjusted value management is used to help clients integrate risk and corporate performance.
Getting CISO, CEO to Talk Same Language
ERIC CHABROW: Is IT security a business enabler or does it obstruct business activities?
PAUL PROCTOR: We actually started going down this path about five or six years ago, where I got tired of hearing the phrase, "business alignment." I actually went out to seek an answer as to how organizations successfully do business alignment. One of the outcomes of that was that we've built some methodologies around integrating risk and corporate performance, and I've had a lot of exposure to our clients that are trying to rebuild their security programs around doing that successfully.
In fact, I've developed this ration that I call the 70 and the 30. The 70 percent sort of take a traditional approach to security where they are very reactive. Every answer is a new technology and they're very reactive to things. The 30 percent are more risk-based. They are in fact, interested rather in being the defenders of the organization or the facilitators of that balance between the needs to protect and the needs to run the business. One of the things that we've seen is that there is a whole bunch of changes coming right now to organizations particularly driven around things like cloud, mobile and social, but that's really just the beginning. Whole business models are changing. And as a result of that, the security officer, the risk officer role, it's all changing. The 70 percent are going to have to step up, and the 30 percent are the ones that are sort of ready to take this on.
CHABROW: How do the 70 percent step up?
PROCTOR: Well I mean its development of the new skills. We used to talk about very simple things, like the ability to communicate better, the ability to understand your business. As I'm fond of saying, you don't have to go to business school to do better with this, but you do in fact need to understand more about your business. That's where a lot of the 70 percent fail. If you take the average security officer and ask them to describe what the desired business outcomes of their organization are, they can't do it. Now you can tell you've got somebody in the 30 percent because they can do that immediately. Some of the challenges and skills that they need to develop, in addition to understanding their own business, is being able to connect the actual impacts of various security, say the threat of security failures to business failures.
We see this activity where they do what I call bottom-up, where they say:
- "Well if we don't patch vulnerabilities then that's going to be bad for our business."
"Well, it's going to be bad."
"Okay, what's going to happen?"
"Well, it's going to affect our profitability."
They are not able to actually explain the linkages between things like good patching and how it fixes the organization. I would say those are the types of things that we're seeing. That and us getting at some of the bad behaviors, like getting out of being reactive, being more process oriented and proactive. Stopping behaviors like walking around scaring people. Everybody knows that isn't effective, and yet it's rampant throughout the 70 percent.
Enablement Through Security
CHABROW: Is IT security more than just semantics that now we're talking about enablement through security?
PROCTOR: No the whole enablement thing is it's not at all semantics. In fact, I would say there is a bright line between trying to protect the organization and constantly trying to lower risk versus when you start to balance and can actually be an enabler. One of my favorite examples of this is there is a car company in Europe. They have an assembly line where a car rolls out every 90 seconds. An hour of downtime caused by IT on the assembly line is 40 lost cars of inventory. They report lost cars of inventory to their executives, not IT downtime, because their executives don't care about IT downtime, they care about cars. Now the interesting thing about this example is, so how is security an enabler? Well if I'm reporting lost inventory for them, we're now talking about a business problem that in the background is below the line in IT operations, there are a number of things that need to be fixed there. But we are now enabling the business to be more efficient, to increase output and as a result of that increase profit. So it is possible to actually produce things that do in fact enable the business.
CHABROW: What do CEOs need to do?
PROCTOR: I talk about a cultural disconnect with most executives today where they believe that this is a technical problem handled by technical people buried in IT. If there is a failure, well then we must have hired the wrong people, and that's not really the way it works. The way to address this disconnect is first of all, stop acting in that way because every time you try to scare budget out of them, it reinforces this idea that it is in fact a technical problem. I do a lot of review of board presentations for our clients and if you can successfully help them to understand where they fit in the governance pyramid, it will impact things like investment decisions. It will allow them to give the resources necessary to the security people to be successful. But it starts with the security people helping deliver that message, because other than certain well-known failures that are in the news constantly, and whatever they are this year doesn't matter, there will be new ones next year.
Executives always have a reason to pay attention to this problem, but until you bridge that disconnect they're always going to have the same answer. Yeah, something went wrong, let's do a huge investment, a huge infusion of cash. And then as I like to say, security officers like to run around and buy that DLP (data loss prevention) system that they've been trying to get for three years and now is their opportunity. That's not really the best behavior. What you want to do is institutionalize better practice, and executives need to understand that they significantly influence the decision-making around whether there is appropriate balance going on in the organization. I mean the bottom line is, if you're going to create that balance, it should not be IT and security people making the decision as to how much investment and what the right thing to do is. That actually needs to be in the hands of the executive.
Getting Executives to Listen
CHABROW: Is there any way to get executives to listen to you if you're a chief information security offcer or chief risk officer?
PROCTOR: Start talking in a language that matters to them. One of the best characteristics of a successful metric is one that influences the decision-making of an audience that you're trying to communicate with. Which means that if you want a metric that is going to influence a CEO, you'd better give them something that actually influences their decision-making. Problem is, most security officers don't even know what decisions their CEO makes every day. So how on earth are they ever going to deliver anything relevant to them?
CHABROW: Isn't it the CISO, CIO or the CRO's job to put security into the language that the executives understand?
PROCTOR: Over time, culture will change and CEOs and executives will start to understand this better. We're starting to see this with IT in general. It's been a long road, but over the last 10 years executives are starting to understand IT isn't just the computers people run. They are slowly starting to come to realize that security is not just the people running the firewalls and that's their problem. We still have a long road in front of us, but right now 98 percent of that responsibility is on the security officers changing their behavior to open the door for executives to start understanding better their responsibility.
CHABROW: Is the Target breach a wake-up call for CEOs or is it just more clutter that they're hearing or something they don't think could happen to them?
PROCTOR: Well a little bit of both. That is what I meant earlier when I said that whatever you're seeing in the press now, it doesn't matter what it is this year because they will have new things to look at next year. I mean, this is going to be a never-ending cycle. That will always wake up executives, but in the end sort of focusing on the headlines doesn't really benefit them because you don't control the threats. You don't control the things, the very same things, like the hackers who go in and attack a company. What you do control is your readiness. That's a great place to focus their attention, are we appropriately prepared for this? But the headlines are a great way to get their attention. Now when you get their attention you have to do something useful with it.