"When the focus is on compliance, you are not talking about people who are proactive about going out and making themselves more secure. They're just focused on baseline controls," says Kennedy. "Compliance is generally a lagging indicator [of risk]," he says.
The result of that "baseline control" approach is "checkbox security" says Kenney and Alexander. "It's not pie-in-the sky to say that compliance should be an output of a security program, not a primary input," says Kennedy.
3. Improve incident response
As we covered previously in Beyond breach prevention: The need for adequate response, the security industry is disproportionately vested in preventative security defenses — with precious little spent on the ability to detect and respond to breaches when they (and they always do) occur.
"We need a fundamental shift from so much focus on preventative controls to detection and response," says Jay Leek, SVP and CISO at the Blackstone Group. Leek says, in a recent evaluation of the industry, that the vast majority of investments, 70 to 80 percent, are made to block attacks. "That should shift down to 50 percent," he says. With the other half going to investments that provide visibility into the activities on systems and data, as well as tools to help make swift and intelligent response.
Why is the industry so heavily geared toward blocking, rather than responding to the inevitable? Most agree that it's part human nature (believing one can block danger), part the vendor community for selling messages that attacks could be blocked, and because it's also an easier sell to make to business executives. Also most regulatory compliance mandates call for a heavy focus on preventive controls, over detection and response. "The ability to respond is absolutely necessary, but it's just not as easy to sell across the board," says Kennedy.
4. Communicating to the business, not at the business
This communication chasm still persists at too many organizations, most agree. Many security professionals still have a challenging time elevating the IT security discussion to a level that is relevant to business executives. That's largely because they continue to view themselves as security practitioners, rather than a security professional participating in the industry their organization operates, contends says Eric Cowperthwaite VP, advanced security and strategy at Core Security Inc. and former CISO at Providence Health and Services.
Alexander agrees. "Communication is still a very common problem. There is a challenge for many to explain complex and technical risks in a way that makes sense to a business executive. But that's what we need to do. We need to talk in their terms in order to be persuasive and reach them," she says.
Sign up for CIO Asia eNewsletters.