Even with the greater awareness for strong security within organizations—and the high-profile hacks that have contributed to that increased awareness—security executives still encounter significant hurdles in doing their jobs to protect data and systems.
Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen.
Many of the conflicts that occur between security and business executives are due to ongoing philosophical differences regarding risk, says Dave Dalva, vice president at Stroz Friedberg, who has worked in the position of CISO for a number of clients.
“In my experience, the number one issue is cultural conflicts,” Dalva says. “Senior executives including the board of directors very often continue to see information security or risk management as an IT problem—or worse as a technology problem—as opposed to a business problem.”
Many business leaders don’t understand or acknowledge that they need to manage security risks the same way they manage financial risks, and give security the high priority and funding it warrants, Dalva says.
“Security, to some extent, is frequently at odds with senior leadership teams,” adds David Barton, CISO at security technology provider Websense. “Managing risk and protecting the brand are not always top of mind for executives, and rightly so, as they are focused on shareholder returns.”
The challenge for the CISO is to help senior executives understand that shareholder returns are directly tied to protecting the brand and managing the risk to the business, Barton says.
This means educating the CEO, CFO, other senior business leaders and the board about the true risks of insufficient security. “They need to realize it’s an enterprise risk problem,” not an IT problem, Dalva says. “Once they do, it’s much easier to establish and enforce policies and procedures that are appropriate for that organization.”
The high-profile hacks in recent months have certainly helped bring cyber security to the forefront, but more work is needed, Dalva says.
Other conflicts come from the age-old struggle between usability and security. “I’ve been involved in information security for nearly 30 years and I’ve seen this many times, where a senior executive sees security as an inconvenience,” Dalva says.
“When senior executives perceive that a security program will make their computing experience [more difficult], it’s often hard to overcome that perception,” Dalva says. “This perception makes the security executive’s job tough, and it makes it more challenging for security teams to address risk across the enterprise. However, the security team is still expected to keep the enterprise secure.”
One CISO who did not want to be identified relates that during a routine audit his team discovered that all accounts in the organization were compliant with its password policy except one—the CEO’s.
Sign up for CIO Asia eNewsletters.