What would you do if the FBI knocked on your door?
Or maybe you needed to reach out to the FBI because of a breach. Are you prepared for that? What steps are you taking now to either prevent that call or ease the path?
I recently spoke with Leo Taddeo (LinkedIn, Twitter), the CSO of Cryptzone. Leo is the former Special Agent in Charge of the Special Operations/Cyber Division of the FBI's New York Office. In this role, he led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.
Leo is passionate about helping security leaders in industry and law enforcement successfully transition to the digital domain. We shared a conversation packed with insights that benefit security leaders.
One of the challenges seems to be the lack of resources. How can companies assess what they have and determine what they need?
While most of CISOs are facing security challenges due to resource constraints, some are "cursed" by overprovisioned budgets. Not having enough staff or budget presents obvious challenges, but how can having too much be a bad thing? The answer is that the recent recognition of information security deficiencies by some CEOs has led to a cyber security spending spree in many companies. This has saddled CISOs with expensive tools that can't be fully implemented without additional staff, budget, and major modifications to business processes. At the end of the day, the real challenge for CISOs is not to spend more, but to spend wisely on tools that provide real value.
Some CISOs are defining "value" in terms of Return on Investment or "ROI." We can easily determine the "Investment" side of this equation. That's typically the price tag for a new security tool. But I have my doubts about assigning real numbers to "Return" side because we can't accurately measure subjective concepts like risk and impact. In my mind, an ROI approach for cyber security investments is a waste of time because the field is not yet mature enough to measure the probability of an incident, or the potential impact.
As hard as CISO's try, it's hard to convince CEOs and Boards that security expenditures are "investments." Security is no doubt essential, but rarely does it contribute to the company's revenue. In my mind, the better approach is to demonstrate the "value" of security investments. In my view, this requires an enterprise approach. All levels of the leadership team must be engaged, from the CEO, CFO and Board to the CISO and business line leaders. The first order of business for a CISO is to gain top-to-bottom consensus on what constitutes "value" for security investments for the enterprise.
Sign up for CIO Asia eNewsletters.