As high profile cyberattacks make headlines, board members and senior management of companies large and small recognize that these attacks pose real threats to their revenue and reputations. As a result, investments in information security are essential.
So it would seem that chief information security officers should have few problems convincing upper management that they need to add more staff to combat existing and emerging threats.
But that’s not always the case.
“It is widely known that more is needed from an information security standpoint to face today’s challenges. Yet, many organizations are still reactive, and will boost their staffing only when faced with a breach,” says Paul Calatayud, chief information security officer at Surescripts, which provides a nationwide health information network that connects doctor’s offices, hospitals, pharmacists, and health plans through an integrated and technology-neutral platform.
This doesn’t bode well for security managers’ efforts to combat and mitigate cyberattacks, especially as they cope with a growing shortage of skilled cyber security professionals. According to The 2015 (ISC)² Global Information Security Workforce Study, 62% of the 14,000 security professionals who were surveyed globally, stated that their organizations have too few information security professionals, compared to 56% in the 2013 survey.
CISOs can present a convincing argument about the need for more staff by establishing proper operational performance metrics that help demonstrate the resource requirements the security department is facing, says Calatayud. “These performance metrics should align to the business objectives and benefit business opportunities, as management teams want to see how investments in talent and tools will affect the bottom line.”
Philip Casesa, director of product development and portfolio management at the International Information System Security Certification Consortium, Inc., (ISC)², agrees. “Measurement is key.” If senior management knows that security is delivering results, they will be less hesitant about growing the security team, he says.
If CISOs can tie the need for resources and people directly into something that the organization is trying to accomplish -- such as gaining revenue, launching new products or services, or showing how security is protecting it from theft of intellectual property or customers’ personal identification information -- they have an argument that senior management can’t ignore, according to Casesa. CISOs can put a dollar value on the costs associated with losing intellectual property for their organizations, he notes.
According to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for companies participating in the survey increased 23 percent over the past two years to $3.79 million. Three hundred and fifty companies representing 11 countries participated in the survey, including the U.S. and U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Saudi Arabia, the United Arab Emirates and, for the first time, Canada.
Still, all kinds of key questions need to be answered before CISOs try to convince management of anything, Casesa says. For instance, if more people are needed, what type of personnel? Should they be part-time or full-time? Can internal people be trained to take on new roles?
“If you as a leader, particularly a CISO, are not getting what you want, it’s your fault, not management’s,” Casesa says. It comes down to connecting. “Leaders need to connect to other leaders. Can you as a leader relate to other people? Can you ground the objectives you are trying to accomplish to the bigger objectives that the executives are trying to accomplish, to what the organization is trying to accomplish?”
Communication Skills Needed
Too often there are still disconnects between CISOs and the rest of the C-Suite from both a communication and trust standpoint, Calatayud says.
“CISO’s must gain the trust of their management and demonstrate a return on investment from information security. They can do this by showing the risk posture of their work and communicating clearly what is being done by staff and vendors to prevent crippling incidents,” according to Calatayud.
The need for security managers to have better communication skills appears to be supported by responses in The 2015 (ISC)² Global Information Security Workforce Study, which was conducted by Frost & Sullivan. When reporting how important various skills and competencies are to career success, 77 percent of the respondents said communications skills ranked as the single-most important attribute. “Interestingly, analytical skills, another soft skill, ranked second, ahead of more concrete competencies such as architecture; incident investigation and response; info systems and security operations management; and governance, risk management, and compliance,” according to the report.
Muneer Baig, president and CEO of security consultancy SYSUSA, notes that today there is a lot of focus on technology and CISOs need to convey to upper management the importance of people in the equation. “Technology at the end of the day is only going to do what it is told to do. There has to be solid processes and procedures in place and a fully-trained person behind the technology,” he says.
“Having the right talent with the right processes behind the technology is really critical,” Baig says.
Calatayud advises CISOs to be careful about what they ask for because they have to be ready to commit and execute once they have the staff they requested.
“There are times when CISOs are not prepared to take on the responsibility of a larger department and face issues with managing a bigger team and demonstrating the ROI of that team,” he says. “This is where setting the proper metrics and goals are important to show the worth of a larger team.”