Risk // Compliance
09:30 AM
Connect Directly

Four Tips For Enabling Better Collaboration On Security Programs

It's not really about whether the CISO or CIO is in charge. It's about making someone accountable for security that's really critical

Enterprise efforts to bolster cybersecurity often tend to focus on technology and process improvements and much less so on enabling better collaboration between the security function and the rest of the organization. And that is a problem.

Recent studies show that a continuing gap between the security group and business unit leaders, C-suite executives and even the rest of the IT group is preventing organizations from achieving an optimal level of cyber resiliency.

The Ponemon Institute last September conducted a survey sponsored by Resilient Systems of over 600 IT and IT security professionals. The results revealed a disturbing lack of collaboration on security issues across departments and lines of business at many organizations. A mere 15 percent of the respondents described the collaboration as excellent while 32 percent described it as poor or non-existent. The remaining 53 percent cited it as being adequate but in need of improvement.

As a result, there is considerable confusion within organizations about who really owns the security function. That relative lack of accountability is preventing many organizations from being proactive about their security strategy and has left a vast majority (83 percent) without a properly implemented cybersecurity incident response plan, the Ponemon survey showed.

“Three quarters of all organizations interviewed didn’t think they were best equipped to handle cyber attacks,” says John Bruce, CEO of Resilient System. “Many felt they didn’t have enough executive sponsorship to handle cyber attacks. About three quarters said they didn’t have enough planning and preparation going on,” around security, Bruce said.

Here are four measures organizations can take to make security a more collaborative effort across the enterprise:

Make Someone Accountable For Security

Organizations sometimes get too fixated on whether security is better handled by the CIO or by the chief information security officer (CISO) or by a chief security officer (CSO). Forget about that. The real question they should be asking is who should be held ultimately accountable for enterprise security, overall says John Worrall, chief marketing executive at CyberArk, a vendor of privileged account security management software. CyberArk in December conducted a survey (registration required) similar to the one conducted by Poneman and found a similar disconnect between the security function and the business side.

“It’s less about the position and more about accountability,” Worrall says. A CISO, CSO or a CIO can handle the security function equally well, but only if they are held formally accountable for the role and receive adequate support for it. “There needs to be a clear understanding of what is expected of the role.”

An organization can make an important statement by appointing someone to the role of a CISO or a CSO. It shows the organization is paying attention to security in a serious manner, Worrall says. But the ultimate accountability for security could still be vested in another role, if an organization finds that to be a better fit.

“I won’t say one is necessarily better than the other,” Bruce adds. “A lot of it is really born out of how the company has evolved organizationally.”

Enable Better Collaboration Across LOBs And Departments.

The executive in charge of cybersecurity needs to take advantage of the heightened threat awareness that exists at the top levels of the organization to make security a more collaborative effort. “There is greater receptivity in the enterprise," Bruce says. “People are listening harder at the leadership level. It behooves the CIO or CISO to make a case on how it needs to be done,” at an enterprise level, he said.

The most effective security executives are the ones that can muster support from executives and stakeholders from across the organization. “The best [security executives] are great communicators. They are good aligners of people, process and technology and are a treated by other business leaders as a fellow business leader,” Bruce says.

Communicate Security Issues More Effectively

Communicating security issues in a way that business leaders and non-technologists can understand is vital to getting the support and the funding to mount an adequate defense against evolving cyberthreats.

“There’s a mismatch between the two ends of the spectrum,” says Worrall. “The CEO and the Board are trying to better understand the security posture of the organization and what they need. But they are not immersed in technology and don’t understand technology language,” he says.

Not surprisingly, some 53 percent of the 304 respondents in the CyberArk survey felt their CEO’s made decisions without regard to cybersecurity. More than six in 10 felt their CEOs did not know enough about cybersecurity while almost 70 percent said the issue was too technical for their chief executives to understand.

The lack of communication and the consequent lack of understanding of cybersecurity issues at the highest levels appear to be exacerbated by the fact that C-suite executives are not briefed as often as many might expect. Despite the mega-breaches at Target, Home Depot and elsewhere, one third of the people who took the CyberArk survey said their CEOs are not briefed regularly on cybersecurity. Nearly 43 percent of management teams are not provided regular security status reports, the survey showed.

Use The Right Metrics

Security practitioners rely too much on compliance-related metrics to convey the effectiveness of the security program. This often results in executive management not fully grasping the business implications of an effective cybersecurity program. Executives end up seeing cybersecurity as something they need primarily to comply with industry or regulatory requirements.

For example, only 44 percent of the respondents in the Ponemon survey said their organizational leaders recognized how important good cybersecurity is to managing enterprise risks and to brand image.

The problem is that reports to management tend to talk about the activities that the security organization is engaged in as opposed to the outcome of those activities from a risk reduction standpoint, Worrall says. Metrics that are considered critical indicators of the effectiveness of a security program, such as threat detection metrics, are not often a top priority in reports to top executives.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.