Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
12/21/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Be a More Effective CISO by Aligning Security to the Business

These five steps will you help marshal the internal resources you need to reduce risk, break down barriers, and thwart cyber attacks.

The recently released F5 and Ponemon report, "The Evolving Role of CISOs and their Importance to the Business," unearthed some disconcerting results about CISO effectiveness. In particular, the survey asked specifically: Are security operations aligned with business objectives? The answer:

  • Fully – 26%
  • Partially – 34%
  • Not – 40%

If security isn’t aligned with the business objectives of the organization, then how can the security program function effectively? Security always exists in context to something else, and that context is the organization’s business objectives. If you’re one of those 40% not aligning at all with your business goals, here are X things you can do.

Step 1: Understand the Business
To build a security program that matches business objectives, you first have to understand the business. How do you do this? By asking questions and doing your homework, and not just about your organization but about your industry sector, as well.

  • You should clearly understand your organization’s reason for existing. What is unique about your organization? Who does your organization serves as part of its mission? Who are the biggest customers and what do they want? What do they expect? Who are the key partners? What do they expect? How does your business compare in these aspects to others in your industry sector?
  • The next important issue is to understand how revenue flows in. Is it constant, cyclical, or tied to sales? How does it lose revenue? Are there cash reserves for rainy days?
  • From there, determine what assets you need to protect. What does the organization want to keep secret? What parts of the organization must never be tampered with? What functions must always keep running? Is it critical that the website is always up? What do employees need to do their job? What information do they need; what systems? What happens if they don’t get those things? Also, what regulations must the organization abide by? What critical contracts must be fulfilled?
  • Next, be sure you understand the biggest challenges the organization faces. Is it growth? Survival? New markets? Changing regulations? Competition? Shrinking customer base? Shrinking budget?
  • What are the major organizational processes? How does the organization circulate information internally?
  • What physical locations does the organization use? Not just the offices and factories, but warehouses, offsite storage, parking lots, and rented temporary offices.
  • What technology is in use now? Before? Planned for later? What problem is each of them intended to solve? Are they working effectively? Do they need to be upgraded or replaced?

Step 2: Leverage the Business Understanding
Use this information to get buy-in on risk reduction programs. Remember that when a security incident occurs, it can have many different kinds of impacts: loss of customer confidence, reduction in sales advantage, regulator fines, operational overhead, and loss of competitive advantage due to breached trade secrets. Find the hot buttons and push them.

Step 3: Break Down Barriers
The F5 Ponemon survey also touched on how much silo and turf issues can impede a security program’s effectiveness with the question: Do turf and silo issues diminish security strategy? The response:

  • Yes, significant influence – 36%
  • Yes, some influence – 39%
  • Yes, minimal influence – 15%
  • No influence – 10%

To help break through the silos, you need to work with each group towards the common company goal of protecting the business of the business. This means you will need to explain your message in terms of each department’s critical processes and requirements. By tying back to the common goal of furthering the organization’s strategic goals, you can help get everyone moving in the same direction and build cooperation.

Step 4: Empathetic Listening
A key to building cooperation is to develop the skill of empathetic listening to engage your ears before you start hammering a message into people. You listen with the goal of understanding the other person’s point of view and acknowledging how they feel about the situation. Listen to people’s complaints. Users work in different contexts than IT and security. They have work that needs to get done that has nothing to do with your security policy. Listen carefully to their problems and then, once they’ve had their say, you can connect their jobs to the security mission.

Step 5: Leverage Contextual Business Knowledge
To break down barriers and silos, you’ll need to align users’ daily practices with security. Hopefully your examination of organizational processes and goals provides the information you needed for this. It also is useful for framing your security messages in the language of the organization’s culture, not in terms of security culture. This leads to a key part of making this work: giving people understandable reasons why a security process is in place.

Step 5: Talk about Threats and Impacts
Using the institutional knowledge, you’ve gathered, explain why you’re implementing particular security processes. Be specific and detailed about what you’re trying to prevent, and clarify how the process will control it. This will also help get people on your side when a process doesn’t work perfectly. For example, if you explain that customer social security numbers should always be encrypted, then users can let you know when they see them displayed in plain view. In this way you can quickly zero in on security incidents and fix problems.

Another big motivator is explaining how security incidents directly affect the organization’s ability to function and meet its business objective by measuring risk in terms of the loss of operational efficiency and business capability. This is a powerful technique, especially if you’ve got a strong grasp on what the organization cares about.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/25/2017 | 8:35:24 PM
Understand the Business
I think understanding business is first critical step of securing the business. So the article is making a good point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/25/2017 | 8:33:31 PM
Re: More Effective CISO
The guidance may be finessed however the CEO must set the policy. This makes sense. Sometime CEO may choose to have more open system than a lucked down environment
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/25/2017 | 8:30:55 PM
Re: More Effective CISO
Security priorities are different depending on where you sit in the C-Suite. This is a very good point. Some CEO would not care about security unless company get hit.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/25/2017 | 8:28:39 PM
Re: More Effective CISO
The concept of being more business minded is good but misses the mark I may agree with this. Business and security may not be aligned fully.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/25/2017 | 8:27:01 PM
Security and business
Security and business may not be aligned fully, sometime customers go with features that compromise security.
swdswan
50%
50%
swdswan,
User Rank: Apprentice
12/21/2017 | 1:50:10 PM
More Effective CISO
The concept of being more business minded is good but misses the mark. Security priorities are different depending on where you sit in the C-Suite. The CEO should have a perspective that spans the organization. They know what is critical to running the organization and what is the most important. That direction needs to be provided to the CSO/CISO. The guidance may be finessed however the CEO must set the policy. 

David Swan

 
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2638
PUBLISHED: 2018-07-16
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
CVE-2017-7468
PUBLISHED: 2018-07-16
In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was...
CVE-2018-13387
PUBLISHED: 2018-07-16
The IncomingMailServers resource in Atlassian JIRA Server before version 7.6.7, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3 and from version 7.10.0 before version 7.10.2 allows remote attackers to inject arbitrary HTML or ...
CVE-2018-14071
PUBLISHED: 2018-07-16
The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input.
CVE-2018-5229
PUBLISHED: 2018-07-16
The NotificationRepresentationFactoryImpl class in Atlassian Universal Plugin Manager before version 2.22.9 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of user submitted add-on names.