A Security Chief Speaks
IN ORDER TO GET THE MOST FROM A firms and our verticals are going. If we
security budget, security managers need focus on our business, the technology will
to do more than assess emerging threats take care of itself, but if we let technology
and evaluate the latest technology to meet drive our strategy, then we always get into
these threats. Security practitioners also cyclical conversations about the return on
need to know the business, so they can investment, and we continually have to
pinpoint how those threats directly relate explain the value of the spending.”
to their organizations’ well-being, says Lining up security priorities with business
Andre Gold, head of technology risk man- priorities will curry favor with the C-suite and
agement at ING U.S. Financial Services. will often result in freed-up dollars to get the
“I think that’s an area where we as necessary projects under way.
CISOs have trouble,” he says. “We some- Gold recently implemented data-leak
times look at where the industry is going prevention to provide ample protection
and what the newer technology is going for a number of business-side initiatives.
to be without focusing on where our own At the top of that list was growth through
acquisitions. The type of high-profile deals
the firm aims to carry out could be jeopardized if an employee leaked information
before an acquisition went through. That’s
a threat Gold saw firsthand at his previous
job as CISO of Continental Airlines.
“There was a rumor during my tenure
that there was a slight chance Continental
would buy Delta Airlines,” he says. “Word
got out that we had assembled a mergers
and acquisitions team to handle it, and
then information leaked that Continental
was actually getting ready to do this. Share
prices at Delta went through the roof, so
the acquisition never occurred.” —E.C.
problem,” Bhatt says. “If these things are well-documented, you
can remind them that you talked with them about the risk.”
COMMUNICATION IS KEY
Clearly, in order to get past the purse-holders, security has
to do a better job of communicating with business executives on their terms. “If executive management and business
decision-makers are not with you on this, your efforts will not
be successful,” Bhatt cautions.
He and many other security experts believe that the better
IT executives are at communicating with executives and educating them about security issues, the more funding will be
released for essential projects.
“Security pros are being pushed to be knowledgeable about
the business, as well as having a good grasp of technology,” says
Zeitler of (ISC)2. “The security function is moving more into
the business realm because the risk is to the business.”
This requires an understanding of how IT risks affect business and explaining it to stakeholders in a nontechnical way.
“The best advice I give is not to be a geek, because that is the
kiss of death,” says Howard Schmidt, founder of R&H Security
Consulting. “For the most part, executives want to hear about
the risk to the business and about mitigation. They want to
know what similar organizations are doing and how they are
doing in the scheme of things.”
Benchmarking to other organizations’ practices lends
credibility to IT’s recommendations. “You’re never a prophet
in your own land,” Schmidt says. “Some CISOs will bring in
an outside expert to tell executives exactly the same things
they’ve been explaining until they’re blue in the face. Then, all
of a sudden, it makes sense to the executives.” 3
Please send questions and comments on this
article to editors@baselinemag.com.
LOSSES IN 2007 DUE TO
IT SECURITY INCIDENTS
44%
Network-based theft of data/
intellectual property/
customer data
58%
7% 9%
24%
34%
Noncompliance with
security regulations
7%
28%
Infection of company's
computers with malware
44%
14% 7% 18%
Physical theft of company's
computers/storage/
portable media
7% 19%
Disturbance of
company's Web sites
63%
9% 4% 21%
Ranked by average 2007 loss.
Less than $24,000
$24,000-$99,000
$100K-$999K
$1.0 million-$24.9 million
$25 million or more
TOP TECHNOLOGIES THAT REDUCED
SECURITY LOSSES IN 2007
Firewalls
Anti-virus software
E-mail security
Anti-spyware software
Patch management
Intrusion detection/prevention software
SSL virtual private networks
Security auditing
Encryption for transmitting data & documents
Web filtering
Encryption for storing data & documents
Wireless security
IPsec virtual private networks
Database security (monitoring, encryption)
Web access control
Configuration management
Endpoint security applications/solutions
20%
13%
12%
10%
10%
9%
8%
8%
7%
7%
6%
5%
5%
5%
4%
