Careers & People
1/7/2016
02:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Convince Management You Need More People

CISOs stand a better chance of getting the resources they need if they establish proper performance metrics that show how information security supports and benefits business objectives and opportunities.

As high profile cyberattacks make headlines, board members and senior management of companies large and small recognize that these attacks pose real threats to their revenue and reputations. As a result, investments in information security are essential.

So it would seem that chief information security officers should have few problems convincing upper management that they need to add more staff to combat existing and emerging threats.

But that’s not always the case.

“It is widely known that more is needed from an information security standpoint to face today’s challenges. Yet, many organizations are still reactive, and will boost their staffing only when faced with a breach,” says Paul Calatayud, chief information security officer at Surescripts, which provides a nationwide health information network that connects doctor’s offices, hospitals, pharmacists, and health plans through an integrated and technology-neutral platform.

This doesn’t bode well for security managers’ efforts to combat and mitigate cyberattacks, especially as they cope with a growing shortage of skilled cyber security professionals.  According to The 2015 (ISC)² Global Information Security Workforce Study, 62% of the 14,000 security professionals who were surveyed globally, stated that their organizations have too few information security professionals, compared to 56% in the 2013 survey.

CISOs can present a convincing argument about the need for more staff by establishing proper operational performance metrics that help demonstrate the resource requirements the security department is facing, says Calatayud. “These performance metrics should align to the business objectives and benefit business opportunities, as management teams want to see how investments in talent and tools will affect the bottom line.”

Philip Casesa, director of product development and portfolio management at the International Information System Security Certification Consortium, Inc., (ISC)², agrees. “Measurement is key.” If senior management knows that security is delivering results, they will be less hesitant about growing the security team, he says.

If CISOs can tie the need for resources and people directly into something that the organization is trying to accomplish -- such as gaining revenue, launching new products or services, or showing how security is protecting it from theft of intellectual property or customers’ personal identification information -- they have an argument that senior management can’t ignore, according to Casesa. CISOs can put a dollar value on the costs associated with losing intellectual property for their organizations, he notes.

According to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for companies participating in the survey increased 23 percent over the past two years to $3.79 million. Three hundred and fifty companies representing 11 countries participated in the survey, including the U.S. and U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Saudi Arabia, the United Arab Emirates and, for the first time, Canada.

Still, all kinds of key questions need to be answered before CISOs try to convince management of anything, Casesa says.  For instance, if more people are needed, what type of personnel?  Should they be part-time or full-time? Can internal people be trained to take on new roles?

“If you as a leader, particularly a CISO, are not getting what you want, it’s your fault, not management’s,” Casesa says.  It comes down to connecting. “Leaders need to connect to other leaders.  Can you as a leader relate to other people? Can you ground the objectives you are trying to accomplish to the bigger objectives that the executives are trying to accomplish, to what the organization is trying to accomplish?”

Communication Skills Needed

Too often there are still disconnects between CISOs and the rest of the C-Suite from both a communication and trust standpoint, Calatayud says.

“CISO’s must gain the trust of their management and demonstrate a return on investment from information security. They can do this by showing the risk posture of their work and communicating clearly what is being done by staff and vendors to prevent crippling incidents,” according to Calatayud.

The need for security managers to have better communication skills appears to be supported by responses in The 2015 (ISC)² Global Information Security Workforce Study, which was conducted by Frost & Sullivan.  When reporting how important various skills and competencies are to career success, 77 percent of the respondents said communications skills ranked as the single-most important attribute.  “Interestingly, analytical skills, another soft skill, ranked second, ahead of more concrete competencies such as architecture; incident investigation and response; info systems and security operations management; and governance, risk management, and compliance,” according to the report.

Muneer Baig, president and CEO of security consultancy SYSUSA, notes that today there is a lot of focus on technology and CISOs need to convey to upper management the importance of people in the equation.  “Technology at the end of the day is only going to do what it is told to do.  There has to be solid processes and procedures in place and a fully-trained person behind the technology,” he says.

“Having the right talent with the right processes behind the technology is really critical,” Baig says.

 Calatayud advises CISOs to be careful about what they ask for because they have to be ready to commit and execute once they have the staff they requested.

“There are times when CISOs are not prepared to take on the responsibility of a larger department and face issues with managing a bigger team and demonstrating the ROI of that team,” he says. “This is where setting the proper metrics and goals are important to show the worth of a larger team.”

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.