Overcoming stubborn execs for security sake
Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen.
Many of the conflicts that occur between security and business executives are due to ongoing philosophical differences regarding risk, says Dave Dalva, vice president at Stroz Friedberg, who has worked in the position of CISO for a number of clients.
“In my experience, the number one issue is cultural conflicts,” Dalva says. “Senior executives including the board of directors very often continue to see information security or risk management as an IT problem—or worse as a technology problem—as opposed to a business problem.”
Many business leaders don’t understand or acknowledge that they need to manage security risks the same way they manage financial risks, and give security the high priority and funding it warrants, Dalva says.
“Security, to some extent, is frequently at odds with senior leadership teams,” adds David Barton, CISO at security technology provider Websense. “Managing risk and protecting the brand are not always top of mind for executives, and rightly so, as they are focused on shareholder returns.”
David Barton, CISO at security technology provider Websense
The challenge for the CISO is to help senior executives understand that shareholder returns are directly tied to protecting the brand and managing the risk to the business, Barton says.
This means educating the CEO, CFO, other senior business leaders and the board about the true risks of insufficient security. “They need to realize it’s an enterprise risk problem,” not an IT problem, Dalva says. “Once they do, it’s much easier to establish and enforce policies and procedures that are appropriate for that organization.”
The high-profile hacks in recent months have certainly helped bring cyber security to the forefront, but more work is needed, Dalva says.
Other conflicts come from the age-old struggle between usability and security. “I’ve been involved in information security for nearly 30 years and I’ve seen this many times, where a senior executive sees security as an inconvenience,” Dalva says.
“When senior executives perceive that a security program will make their computing experience [more difficult], it’s often hard to overcome that perception,” Dalva says. “This perception makes the security executive’s job tough, and it makes it more challenging for security teams to address risk across the enterprise. However, the security team is still expected to keep the enterprise secure.”
One CISO who did not want to be identified relates that during a routine audit his team discovered that all accounts in the organization were compliant with its password policy except one—the CEO’s.
“I walked into his office and painted a picture of our compliance status and the potential of an adverse audit finding related to password compliance,” the CISO says. “My CEO was unhappy to learn of this potential and instructed me to notify the account holder and get the problem fixed. I explained the account in question was his and I needed him to change his password. He changed his password and never had the issue again.”
The tradeoffs between convenience and security are becoming less of an issue with many senior executives, as they’re now much more aware of the risks, says Jay Leek, CISO at The Blackstone Group, an investment firm. And people at the lower levels of the organization generally try to do what they have been asked when it comes to security.
Where the challenge now lies is with middle management, Leek says. Often these are the people under pressure to get projects completed quickly and efficiently, and they’re looking for shortcuts such as not using cumbersome passwords to wanting to have more access to data than they might actually need.
“Maybe they don’t have all these insights [about security risks] or they feel more empowered,” Leek says. “I see them taking more risks. We’ve done a good job educating middle management, so we don’t have that issue today.”
But that doesn’t mean Leek never gets challenged. “I’ve had to have some very tough discussions” about security policies. “While it’s uncomfortable and not the happiest times, I’ve been able to at least come out alive and not gotten fired.”
Security if done well should provide protection in a user-friendly way, Dalva says. For example, companies can deploy technology such as single sign-on instead of forcing users to have multiple passwords for various systems and applications.
“Security doesn’t have to be an impediment to getting things done,” Dalva says. “It can enhance productivity” at the same time as providing data protection.
Bring-your-own-device (BYOD) issues have created their share of conflicts between security and business executives.
“When the iPad first came out the first people who wanted to carry them around were the most senior executives. How do you secure this” Leek says.
“Everyone was trying to figure out how they could get a device that wasn’t ready to deploy” securely, Leek says. “People want these cool new tools or devices like that,” without giving thought to the security issues.
Other sources of differences between security and business leaders have to do with budgets and personnel.
The CISO who didn’t want to be identified says in one budget cycle the company’s CFO made unilateral changes to the IT security budget and cut some items that were compliance and regulatory in nature.
“These budget items were defined and justified, but ultimately were an increase from the previous year so they were removed from the plan,” the CISO says. “After numerous meetings and explanations, I was able to get agreement to the increase in spending. Even with the proper justification, it is critical for CISOs to help educate the senior leadership on security trends, funding, regulatory issues, etc.”
When it comes to the use of resources such as people and capital, CISOs and CSOs are competing with other business leaders who have different drivers and incentives, Barton says.
“It’s imperative for the CISO community to partner with those business leaders to help them understand the correlation between the spend on information security and how it enables the other business leaders to create, implement and deploy their initiatives in a secure fashion,” Barton says.
With the ongoing shortage of experienced security personnel at many organizations, disagreements over staffing issues are likely to be a continuing source of contention.
“Too many companies make [capital spending] an easy part and make significant investments in new technologies,” says Michael Cook, senior security consultant at GuidePoint Security. “But [they] fail to make the corresponding investments in people, and developing the associated processes to utilize the technology, whether it's monitoring, analysis, investigation, research or security program development.”
The result is that the capital investment is significantly under-utilized, Cook says. “Companies that are hamstrung in their compensation structure, can't get the appropriately qualified people, and end up either doing without adequate staffing, or hiring people who aren't quite appropriate for the role and needs of the security department.”
Cook has seen security directors go back and forth with human resources and compensation officers and get salary ranges increased once or twice, but still not to market level. Then they are told that nothing more can be done and they give up the fight.
“They end up working with what they have been given, and recruiting people in that compensation range,” Cook says. “I can't emphasize enough how this negatively impacts process, and the quest towards security maturity.”