Questioning the conventional wisdom that high profile breaches should incentivize organizations to increase their investments in information security was the topic of an article I recently read.
It notes that though these companies were breached, the costs incurred to clean up the aftermath of their data breach were manageable, and in a few cases, some were borne by other parties. The article continues to expound upon the topic of “moral hazards,” in which organizations accept additional risk because the impact of the consequence is partially borne by others and the role of government in these situations.
In his March 4 article for the Conversation entitled “Why companies have little incentive to invest in cyber security,” Benjamin Dean, a Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, examines the actual costs to Target, Home Depot and Sony Pictures of their data breaches.
Take Target as an example: despite the volumes of negative media coverage it received after suffering a significant data breach in late 2013, it has recovered. Customers are returning, the stock price is moving up, and the amount of money it has spent to repair the damage represents a miniscule percentage of its annual revenue.
While the article’s discussion about how moral hazards may define a role for government in cyber security is thought-provoking, my take away was the importance of understanding and being able to communicate about risk. The increasing rate of high-profile security breaches will accelerate the evolution of the role of the chief information security officer (CISO) from one of focusing primarily on the implementation and management of information security technologies, to one of a critical risk management consultant.
CISOs and the infoSec community have complained for quite some time that information security programs are not adequately resourced. Perhaps the part of the reason for this is that information security leaders have not justified the investment in information security, in terms of risk, that is understood by executive management and the board of directors. Information security has transformed to a focus on risk management and for most organizations the question is no longer “why should we bother to spend money to improve security if we can’t guarantee total data breach immunity?” but rather “how can we ensure money and manpower resources are allocated to reduce the risk business decisions may create while minimizing the damage a breach may cause?"
The transformation centers on the CISO—or whoever is responsible for information security—moving from being primarily responsible for implementing and managing technology solutions to someone who is seen as critical a risk management advisor for information security, analogous to how CFOs advise on financial risk, and General Counsels advice on legal risk.
This new role means that the CISO must move from simply dictating broad security policies to the entire business to regularly interacting directly with the individual business unit leaders to better understand their business processes. How the sales team operates on a daily basis in terms of the information they need access to, where that information is stored and what devices they use at the office or on the road may be very different from the needs of Human Resources or Finance, for example.
"CISO must move from simply dictating broad security policies to the entire business to regularly interacting directly with the individual business unit leaders”
This requires excellent communications skills, including how to present your research and recommendations to different audiences that have varying levels of understanding, or even a desire to understand the bigger picture. The IT team should be interested in technology metrics: how many attacks have been thwarted, systems performance, and employee requests to the IT help desk. They’re on the front lines, and those numbers can demonstrate how IT systems and processes are performing. On the other hand, the Board of Directors doesn’t have time to focus on those specifics; its members will want to hear from the CISO on how the business decisions the leadership are making balance growing revenue with increasing risk.
Risk management used to be relegated to the legal or finance sides of the house. Now the security leader is the third foundation of that risk management advisory team and must be able to work with these other two champions of risk management; the company’s leadership and Board of Directors should realize how important that role is. The CISO should have a seat at the proverbial table next to legal and finance to provide expert advice on the risks of particular business decisions and how to best mitigate those risks. However, that seat won’t be available if the CISO is focused on technology, and can’t explain information security in terms of risk.
I would postulate that any company is more likely to come to decisions that combine technology spend and implementation and improve the security posture of the business if the CISO is part of the risk management team. The CISO is no longer someone who lectures on the need for new technologies, he/ she is a business enabler through the management of risk. This is the new role of the modern CISO.