I concluded my last column with these words: “When a government CIO looks at the next dollar he or she needs to spend, they need to know whether to spend that on their organizational mission or on IT security. They need help making THAT decision. Exploiting IT vulnerabilities may be cool, but playing defense is a far bigger, and far more difficult job.”
I was reminded of those words and their implications last week as I participated in a government workshop aimed at developing a way to guide government entities and private companies in their cybersecurity journey. As the meetings dragged on, two topics arose at nearly every gathering — the first was that C-level leaders didn’t truly understand and/or appreciate the need for information security; and second, that you had be able to produce return on investment (ROI) in order to “sell” security. These issues are related and were presaged in my parting words in July.
Let’s tackle the C-suite complaint first. I’ve been around the field of information security more than 20 years, and that issue never gets resolved. For a long time, it was assumed by many that the solution was providing an appropriate education for these obviously uninformed executives. They urged you to schedule multi-hour meetings on CxO calendars to walk them through the world of network security fundamentals, endpoint security, malware, encryption, identity management, access control, etc.
Once you lecture these clueless functionaries into understanding the “hows” of InfoSec, it is now time to tell them how much money they can save by investing in all the best-of-breed technologies and hiring a staff of true experts. In order to create your supporting ROI, you had to present one of the myriad of dodgy industry reports on the cost of cybercrime, and easily “prove” how your security program is really a big money-maker.
So now you supposedly have the perfect storm of tools for a security leader — a list of activities and technologies accompanied by proof that it is worth every penny…except the C-suite still doesn’t listen, and still didn’t pony up to get you everything you claim you need. What happened?
The problem isn’t that executives don’t understand security. They do. They simply speak of it in different terms. They are always looking at the next dollar they need to spend. As a security professional, you need to talk in their terms: issues of risk management, and the implementation of sensible, cost-effective risk mitigation strategies. Buying the latest security technologies is simply table stakes. How you use them to mitigate risk in concert with your organizational policies and people define how closely the executives will listen.
John McCumber is a security and risk professional, and author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].
