An Executive’s Guide To Security Risks
The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.
The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it. The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.
Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO). Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on. In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand. How can this represent the best interests of your stakeholders?
As a CEO, how do you get your hands around your information security risk? After all – you are the one accepting the risk for the business, not your security team.
Use Words You Already Understand
The CEOs I speak with often feel they don’t know how to approach security metrics because it’s an area they don’t really understand in detail. Unfortunately, they either don’t ask for more information, or don’t know what to ask because the subject matter is very technical.
The good news is that you don’t need to be a cyber security expert to understand security risks. The issues suddenly become much clearer if you can re-frame what you ask for in terms of something you understand: your organization’s business goals.
For example, let’s take a look at the goals the CEO for a large online retailer created for his CISO:
–Insure our site is available to our customers when they want to shop;
–Insure that our customers feel safe and secure as they shop with us;
–Insure that our customers’ information is safe with us at all times;
–Insure that we satisfy the necessary legal, regulatory or internal requirements so that we remain a viable business.
As you can see, these goals make sense to any CEO, technical or not. They also provide a clear framework that enables technical teams to make consistent, aligned decisions about where to focus their efforts and resources.
This also provides an easy framework for a CEO or non-technical executive to ask relevant questions about how information security is enabling or protecting these goals.
Simplicity Is Your Friend
Another obstacle is the complexity of data available to us. One of the executives I work with took over a large organization with a history of data breaches and information security-related audit findings. When she took over the organization, she tried to get a baseline understanding of where things were and was presented with an overwhelming amount of security data that was more confusing than helpful.
She went through a process to identify some key areas of concern that were most relevant to her organization’s goals, and spent a lot of time with the security team to understand where the key leverage points, risk areas, and blind spots were in the organization. This included reviewing the past problems to figure out where things had gone wrong.
At the end of this process, she identified five main areas of concern and had the team develop a way to measure and score these areas, to get things into a numeric risk score.
Now, rather than having to plow through tons of numbers, she has a dashboard of five key scores, which indicate risk, and she can tell at a glance how things are doing, where the hot spots are, and whether they are better or worse than last month. These five areas are then aggregated into a top-level risk score that becomes the barometer of risk for her organization for ongoing monitoring. The details are still there, but she doesn’t have to get bogged down in them unless the risk score drops.
When I asked her how she knew whether her risk score was “right” or not, she said, “It doesn’t really matter what the number is as long as we are tracking it consistently, and I can drill down a level or two when the score drops, so I can figure out where the hot spots are.”
They also adjust the calculation method from time to time, typically when they discover something that has negatively impacted her organization but wasn’t reflected in the risk score.
The Bottom Line
To net this out, just because you don’t have a technical background doesn’t mean you can’t engage with your information security organization to ensure they are looking out for your business. By connecting things back to the goals of your business, and avoiding the “too much data” trap by keeping it simple, you can get the confidence you need so you can sleep at night.