THE CHALLENGE OF BOARD ROOM BUY IN
One of the top complaints raised by CISOs and CSOs is a lack voice in the boardroom. From David Barton, CISO at Websense in an article for csoonline.com:
“Too many CISOs are relegated to being relevant only when there is a crisis. Security belongs in the boardroom, in senior executive strategy meetings, in the many business planning processes, and in the operations of the business. My wish for 2016 is more visibility at the board level for CISOs, where we can provide advice/guidance to enable the business to succeed in a secure fashion.”
Most board members do not understand security like they understand finance, sales, or operations. They are unable to see tangible evidence of the return on investments made in security. How does the security community overcome this lack of understanding to gain boardroom buy in?
CEOs and CFOs are not going to go out and get CISSPs anytime soon, and they shouldn’t need to. Why? Every board member cannot be an expert at finance, sales, marketing, operations, etc. Instead, they rely on the board member or executive who is an expert in a particular field to present long term trends, comparisons, and metrics that quantify the needs, success, and outlook for that aspect of the business.
This works for two reasons. The first is that trends, comparisons, and metrics allow board members to understand areas of business they are not experts in. The second is that it requires every aspect of business to be broken down into repeatable, measurable processes.
The second part is where information security runs into problems. A majority of enterprises have not succeeded at breaking information security into the repeatable processes that allow it to be measured in the same manner as other aspects of business. Boards recognize this problem. Instead of investing in improving proven processes, they must take the word of the security team that an investment will keep them secure.
Einstein said, “If you cannot explain it simply, you do not understand it well enough.” Instead of continuing to ask why boardrooms continually fail to understand security, we need to ask ourselves why we are failing to explain it to them. If security cannot be explained by trends, comparisons, and metrics of repeatable processes, the security team lacks a full understanding of the organization’s security posture. By breaking security into repeatable processes that can be measured and compared over time, not only will respect and buy-in be achieved at the board level, but also the organizations security posture will be greatly improved.
AristotleInsight is a big data security analytics solution implementing the UDAPE model. The solution collects, links, and organizes security data in order to establish baselines, conduct user behavior analysis, recognize anomalies, and detect advanced persistent threats.