There will be increasingly heated discussions among board members about whether they are wasting the money they are spending on security and why, says Demopoulos; they will ask whether they are spending on the right solutions for security.
The thing that will make board members most livid is when the organization uncovers a breach and no one can tell them when it started. "I think that's going to cause a lot of yelling and shouting, not that they've been breached, not that somebody's been in a critical system with some critical assets of theirs, but they won't know when it happened," says Demopoulos.
In response, board members will continue to seek metrics to measure, then minimize the risks of information security breaches rather than get into the technical details, because they are not technical people. "If you tell them what caused these continued breaches, I don't think many of them will understand the answers," says Cole.
Executives speak the language of dollars, cents, and risk while security experts speak a different language. They don't understand each other. "I've seen CSOs give a 45-minute presentation to the board of directors about security, and five minutes into it, attendees are pulling out their phones, they're doing something else, and the CSO has totally lost the audience because they weren't speaking to them in their language," says Cole.
What should happen
"Most big companies / stores purchased more security products such as next-generation firewalls and state-of-the-art IPSs. My concern is that many of them don't have the proper structure or foundation for security in place," says Cole. Rather than a quick fix with all these products, companies need to first build the proper foundation.
There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don't know how people have configured these assets. They don't manage change, and they don't know where their critical data is located. "If you fail in those four areas, you can spend $50M on security products, and it's not going to help you because the underlying vulnerabilities that create risk are still there," says Cole.
Executives are not going to learn technology, which means technical people need to learn how to speak the executive language. "You need a security officer who is bilingual, who can convert the technology into the business language and present it with business metrics so the executives can make the right decisions about security moving forward," says Cole.
Companies should be looking for CSOs who can report directly to the executive team, people who can speak their language. "Today, most CSOs are buried under the CIO and are technical positions rather than business positions. Their communications never make it up to the executives," says Cole.
Sign up for CIO Asia eNewsletters.