Careers & People
1/7/2016
02:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Convince Management You Need More People

CISOs stand a better chance of getting the resources they need if they establish proper performance metrics that show how information security supports and benefits business objectives and opportunities.

As high profile cyberattacks make headlines, board members and senior management of companies large and small recognize that these attacks pose real threats to their revenue and reputations. As a result, investments in information security are essential.

So it would seem that chief information security officers should have few problems convincing upper management that they need to add more staff to combat existing and emerging threats.

But that’s not always the case.

“It is widely known that more is needed from an information security standpoint to face today’s challenges. Yet, many organizations are still reactive, and will boost their staffing only when faced with a breach,” says Paul Calatayud, chief information security officer at Surescripts, which provides a nationwide health information network that connects doctor’s offices, hospitals, pharmacists, and health plans through an integrated and technology-neutral platform.

This doesn’t bode well for security managers’ efforts to combat and mitigate cyberattacks, especially as they cope with a growing shortage of skilled cyber security professionals.  According to The 2015 (ISC)² Global Information Security Workforce Study, 62% of the 14,000 security professionals who were surveyed globally, stated that their organizations have too few information security professionals, compared to 56% in the 2013 survey.

CISOs can present a convincing argument about the need for more staff by establishing proper operational performance metrics that help demonstrate the resource requirements the security department is facing, says Calatayud. “These performance metrics should align to the business objectives and benefit business opportunities, as management teams want to see how investments in talent and tools will affect the bottom line.”

Philip Casesa, director of product development and portfolio management at the International Information System Security Certification Consortium, Inc., (ISC)², agrees. “Measurement is key.” If senior management knows that security is delivering results, they will be less hesitant about growing the security team, he says.

If CISOs can tie the need for resources and people directly into something that the organization is trying to accomplish -- such as gaining revenue, launching new products or services, or showing how security is protecting it from theft of intellectual property or customers’ personal identification information -- they have an argument that senior management can’t ignore, according to Casesa. CISOs can put a dollar value on the costs associated with losing intellectual property for their organizations, he notes.

According to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for companies participating in the survey increased 23 percent over the past two years to $3.79 million. Three hundred and fifty companies representing 11 countries participated in the survey, including the U.S. and U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Saudi Arabia, the United Arab Emirates and, for the first time, Canada.

Still, all kinds of key questions need to be answered before CISOs try to convince management of anything, Casesa says.  For instance, if more people are needed, what type of personnel?  Should they be part-time or full-time? Can internal people be trained to take on new roles?

“If you as a leader, particularly a CISO, are not getting what you want, it’s your fault, not management’s,” Casesa says.  It comes down to connecting. “Leaders need to connect to other leaders.  Can you as a leader relate to other people? Can you ground the objectives you are trying to accomplish to the bigger objectives that the executives are trying to accomplish, to what the organization is trying to accomplish?”

Communication Skills Needed

Too often there are still disconnects between CISOs and the rest of the C-Suite from both a communication and trust standpoint, Calatayud says.

“CISO’s must gain the trust of their management and demonstrate a return on investment from information security. They can do this by showing the risk posture of their work and communicating clearly what is being done by staff and vendors to prevent crippling incidents,” according to Calatayud.

The need for security managers to have better communication skills appears to be supported by responses in The 2015 (ISC)² Global Information Security Workforce Study, which was conducted by Frost & Sullivan.  When reporting how important various skills and competencies are to career success, 77 percent of the respondents said communications skills ranked as the single-most important attribute.  “Interestingly, analytical skills, another soft skill, ranked second, ahead of more concrete competencies such as architecture; incident investigation and response; info systems and security operations management; and governance, risk management, and compliance,” according to the report.

Muneer Baig, president and CEO of security consultancy SYSUSA, notes that today there is a lot of focus on technology and CISOs need to convey to upper management the importance of people in the equation.  “Technology at the end of the day is only going to do what it is told to do.  There has to be solid processes and procedures in place and a fully-trained person behind the technology,” he says.

“Having the right talent with the right processes behind the technology is really critical,” Baig says.

 Calatayud advises CISOs to be careful about what they ask for because they have to be ready to commit and execute once they have the staff they requested.

“There are times when CISOs are not prepared to take on the responsibility of a larger department and face issues with managing a bigger team and demonstrating the ROI of that team,” he says. “This is where setting the proper metrics and goals are important to show the worth of a larger team.”

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.