Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

1/7/2016
02:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Convince Management You Need More People

CISOs stand a better chance of getting the resources they need if they establish proper performance metrics that show how information security supports and benefits business objectives and opportunities.

As high profile cyberattacks make headlines, board members and senior management of companies large and small recognize that these attacks pose real threats to their revenue and reputations. As a result, investments in information security are essential.

So it would seem that chief information security officers should have few problems convincing upper management that they need to add more staff to combat existing and emerging threats.

But that’s not always the case.

“It is widely known that more is needed from an information security standpoint to face today’s challenges. Yet, many organizations are still reactive, and will boost their staffing only when faced with a breach,” says Paul Calatayud, chief information security officer at Surescripts, which provides a nationwide health information network that connects doctor’s offices, hospitals, pharmacists, and health plans through an integrated and technology-neutral platform.

This doesn’t bode well for security managers’ efforts to combat and mitigate cyberattacks, especially as they cope with a growing shortage of skilled cyber security professionals.  According to The 2015 (ISC)² Global Information Security Workforce Study, 62% of the 14,000 security professionals who were surveyed globally, stated that their organizations have too few information security professionals, compared to 56% in the 2013 survey.

CISOs can present a convincing argument about the need for more staff by establishing proper operational performance metrics that help demonstrate the resource requirements the security department is facing, says Calatayud. “These performance metrics should align to the business objectives and benefit business opportunities, as management teams want to see how investments in talent and tools will affect the bottom line.”

Philip Casesa, director of product development and portfolio management at the International Information System Security Certification Consortium, Inc., (ISC)², agrees. “Measurement is key.” If senior management knows that security is delivering results, they will be less hesitant about growing the security team, he says.

If CISOs can tie the need for resources and people directly into something that the organization is trying to accomplish -- such as gaining revenue, launching new products or services, or showing how security is protecting it from theft of intellectual property or customers’ personal identification information -- they have an argument that senior management can’t ignore, according to Casesa. CISOs can put a dollar value on the costs associated with losing intellectual property for their organizations, he notes.

According to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for companies participating in the survey increased 23 percent over the past two years to $3.79 million. Three hundred and fifty companies representing 11 countries participated in the survey, including the U.S. and U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Saudi Arabia, the United Arab Emirates and, for the first time, Canada.

Still, all kinds of key questions need to be answered before CISOs try to convince management of anything, Casesa says.  For instance, if more people are needed, what type of personnel?  Should they be part-time or full-time? Can internal people be trained to take on new roles?

“If you as a leader, particularly a CISO, are not getting what you want, it’s your fault, not management’s,” Casesa says.  It comes down to connecting. “Leaders need to connect to other leaders.  Can you as a leader relate to other people? Can you ground the objectives you are trying to accomplish to the bigger objectives that the executives are trying to accomplish, to what the organization is trying to accomplish?”

Communication Skills Needed

Too often there are still disconnects between CISOs and the rest of the C-Suite from both a communication and trust standpoint, Calatayud says.

“CISO’s must gain the trust of their management and demonstrate a return on investment from information security. They can do this by showing the risk posture of their work and communicating clearly what is being done by staff and vendors to prevent crippling incidents,” according to Calatayud.

The need for security managers to have better communication skills appears to be supported by responses in The 2015 (ISC)² Global Information Security Workforce Study, which was conducted by Frost & Sullivan.  When reporting how important various skills and competencies are to career success, 77 percent of the respondents said communications skills ranked as the single-most important attribute.  “Interestingly, analytical skills, another soft skill, ranked second, ahead of more concrete competencies such as architecture; incident investigation and response; info systems and security operations management; and governance, risk management, and compliance,” according to the report.

Muneer Baig, president and CEO of security consultancy SYSUSA, notes that today there is a lot of focus on technology and CISOs need to convey to upper management the importance of people in the equation.  “Technology at the end of the day is only going to do what it is told to do.  There has to be solid processes and procedures in place and a fully-trained person behind the technology,” he says.

“Having the right talent with the right processes behind the technology is really critical,” Baig says.

 Calatayud advises CISOs to be careful about what they ask for because they have to be ready to commit and execute once they have the staff they requested.

“There are times when CISOs are not prepared to take on the responsibility of a larger department and face issues with managing a bigger team and demonstrating the ROI of that team,” he says. “This is where setting the proper metrics and goals are important to show the worth of a larger team.”

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16319
PUBLISHED: 2019-09-15
In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero.
CVE-2019-16320
PUBLISHED: 2019-09-15
Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel's latitude and longitude, via the public SNMP community.
CVE-2019-16321
PUBLISHED: 2019-09-15
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.