Are you the Dr. No of your company, always with security-related reasons for stopping or slowing down projects?
When you meet with management, is it to ask for more money for security or else horrible things will happen? If so, do you say it like, "one meeeeellion dollars" while petting a white cat? You do know that one million dollars will hardly make a dent in the problem. Better make it, "one beeeeellion dollars."
(Yes, I know it was Dr. Evil who made "one meeeellion dollars" a catchphrase, but it was Dr. No who said it first.)
And when you're not going around telling people to stop doing what they want, or asking for money, are you delivering bad news about breaches?
"I was the least invited person to meetings," recalls Adam Bly, who, before founding his own security company, San Francisco-based Bluebox Security, used to manage security, risk and compliance at companies like TiVo and Walt Disney.
"I would 'no' to a lot of things because there was risk and I didn't have a solution," he said.
But some security executives are redefining their roles to become people who say "yes," and restructuring their departments around becoming enablers of business.
Here are some of the ways they're doing it.
Eliminate spam and phishing emails
Hartford, Conn.-based insurance giant Aetna recently switched to the DMARC email authentication.
"It authenticates all our emails to the Internet service providers," said Aetna CISO Jim Routh. "That's 65 million spam and phishing emails that they're not receiving."
Consumers benefit from reduced risk and Aetna benefits from having lower costs due to not having to deal with phishing-related issues, he said. And it's even helping bring in new business.
"The security department led the initiative with marketing," Routh said. "Traditionally, they don't get along. But at Aetna, we do. Now it's a feature in sales calls with employers who are choosing Aetna to provide benefits to their employees."
In fact, Aetna was the only health care company to receive a perfect 100 percent score last year in a survey by Agari, an email security company. The other 13 health care companies all scored "vulnerable" or below, with an average security score of 17 percent. According to Agari, an email that says it's from a typical health insurance company is four times more likely to be a fake than one that claims to be from a social media company.
Adopt cloud gateways
CSOs are typically well-aware of the problems with cloud applications.
"They expose organizations to security risks such as sensitive data leakage, unauthorized privilege escalation, denial of service, and so forth," said Nir Valtman, CISO at Duluth, Georgia-based NCR Corp.
Sign up for CIO Asia eNewsletters.