Most CIOs are not security experts, but in the board room they need to be. Thanks to the CSO, , they don't have to go it alone. Behind the scenes, they can help prepare the CIO, offering advice on how to interpret the company's threat levels, boiling down the most relevant information and communicating it, early and often, so the C-suite will pay attention.
"The challenges when you take on the CIO role or an executive role are that you don't think all about security," said Michael Hart, vice president and CIO of Petwell Partners, during a panel discussion at CIO Perspectives Houston last week. "You rely on the CISO."
The panelists, which included IT and security executives, discussed common assumptions about security risks, ways to get your business colleagues to take those risks seriously and best practices to use at your companies.
When preparing for a board presentation or a meeting with C-level executives, the first thing a CIO should do is ask the CSO to bring the conversation about security down to the most basic level and put it into terms that everyone from the most junior employee to the CEO can understand. "You don't want to talk ISO speak. Learn to talk to the business," Hart said. "That's one of the challenges I have, to make sure all lines across the company are from the business perspective."
Next, to set expectations and shape the company's thinking, the CSO should provide context around today's risks and show how they are different from yesterday's challenges. Samuel Sutton, computer scientist at the FBI, Houston Cyber Squad, said the stakes are much higher in today's threat landscape. "It used to be about the single, lonely hacker just getting access," he said. "Now instead of getting access, it's 'how can I turn it into a dollar' -- that changes the ball game" he said.
Armed With Intelligence and Analysis
Another aspect of breaches today is that they are no longer being swept under the rug. "It used to be that the victims suffered this by themselves, isolated and alone," Sutton said. Today, thanks to intelligence, analysis and white papers, victims can educate themselves on how to handle a breach, he added.
Sutton also cautioned CIOs to not rest easy. Instead, assume you will be attacked and focus on the prevention and response plan. "The reality is that there are two networks out there, those that are hacked and those that [you] don't know are hacked," Sutton said.
Executives will likely pay less attention to the fact that there are many prevalent threats and more attention to how those threats could affect their lines of business. To prepare the CIO for that part of the conversation, the CSO should outline the impact of a security breach on the business in terms of hard cost and soft cost. Sutton recommended using examples of soft cost to show how a breach will affect the stock price, the cost of freebies to win customers back or the lag time of hiring a new C-suite executive.
Sign up for CIO Asia eNewsletters.