Rahmani, the former CEO of computer security provider Damballa, says many of these leaders hadn't considered information as a critical enterprise asset until publicity surrounding the Target breach and other breaches surfaced. She says: "They now are trying to work out, in conjunction with the technical team: What are our assets? What do they look like? Where are we at risk?"
Rahmani explains in a joint interview with Harkins: "What they're trying to do now is really understand what are those assets, interpreted not as bytes, but in terms of the value to the business. Then, I can start thinking about who might want those assets and how they would try to go after them. And, until you've done that, you haven't even got the capability to start thinking how might I protect them."
Harkins, chief security and privacy officer for chipmaker Intel, says CISOs and other IT security leaders should avoid technical lingo in explaining to top executives and board members vulnerabilities their organizations face.
"When you start talking about BIOS and firmware and drivers and your network infrastructure and that level of technical depth, if you're a business leader who is not in the technology space, you might not know what those words are," Harkins says. "You have to use different ways of communicating with that senior-level audience to say there is a technical vulnerability in this particular product. The specific aspects of what it is isn't relevant, but if exploited, here's what that means in terms of impact to the enterprise."
In the interview, Rahmani and Harkins also:
- Explain how information risk can be incorporated into the overall risk management function of the board;
- Provide examples of how to put technical risk challenges into business terms; and
- Discuss the appropriateness of board members bypassing the chief executive to speak directly with the CISO.
Rahmani is a corporate board member, consultant and start-up adviser. From 2009 through 2013, she served as chief executive of Damballa, a computer security company focused on malware, advanced persistent threats and targeted attacks. For more than 30 years, she served in various executive positions at IBM, with her last assignment as general manager of IBM Internet Security Systems.
Harkins is an Intel vice president. Before becoming Intel's first chief security and privacy officer, he served as its CISO. Harkins also previously held roles in finance, procurement and various business operations. He has managed IT benchmarking efforts and Sarbanes Oxley systems compliance efforts.