Such scenarios are not new, said Caroline Wong, CISSP, director of regional product management (risk & compliance) at Symantec. Although CIOs and IT security chiefs have been playing active roles in managing security incidents and compliance regulations, there is need for them to evolve beyond their traditional roles to where "he or she is communication business risks to senior executives," she said. "To have a seat at the executive table, they should be able to talk about IT risks in a way that make sense to stakeholders, to enable the organisation to make decisions about how to manage those risks."
"Forrester did a study commissioned by Symantec, talking to IT security decision makers about how easy or not to talk about risks and how often decision makers find themselves in front of executives. We find that in recent years, the number is increasing -- 70 percent of these security decision makers have to report to boards for audit committee, BODs, other security incidents."
However, many of them struggle in communicating with their business counterparts, she added. "Forrester found that 47 percent would prefer to explain the value of security in business terms or were really having a challenge with it. This is the primary challenge."
She added: "While some CIOs still talk about servers and network devices, others are able to talk about virtual business assets like credit card processing systems, online retail systems and so on. I think the latter CIOs are the ones who are able to have a seat at the table and make decisions, because folks around the table understand what they're talking about."
Wong was previously an information security professional working with eBay. She wrote a book called "A Beginner's Guide to Security Metrics" while working as a certified information systems security professional (CISSP). In the book, she defined an information security program as one that is meant "to protect information and information systems from unauthorised access, use, disclosure, modification, or destruction. Specifically, the three key components of information to protect are its confidentiality, integrity, and availability."
Why security metrics? Because if the CIO or CISO were to be able to move away from "tech speak", the more likely are they to convince their CEO or CFO on what needs to be done and where the direction is going, she said.
Wong elaborated: "Organisations typically go through a maturity curve -- from focussing on compliance regulations to focussing on managing risks. At the lower end, what we're seeing are customers struggling just to meet audit. But at the end of the day, when the audit is done, are they more secure?"
"The next stage is characterised organisations that are beginning to buy point solutions to what they perceive to be the biggest threats," she said. "But they don't have clear, data-driven metrics or any ROI defined. It's simply a perception."
Sign up for CIO Asia eNewsletters.