The number one driver in business right now is brand value, says Jay Leek, senior vice president and CISO at Blackstone, a New York City-based asset manager. And, whether you are a brick-and-mortar retailer like Target or the manufacturer of a digital tool like Internet Explorer, nothing has a negative impact on your brand quite like a data breach. As Target CEO Gregg Steinhafel discovered when he was forced to resign last month, putting the personal information of a large segment of your customer base in jeopardy can tarnish your company's reputation and derail executives' careers.
But, pull back on that view of the C-suite and identify who is missing among all those present with the title of ‘chief.' Chances are, you will not find the CISO – or the person he or she reports to – on Mahogany Row. “It's very rare to find a CISO who reports to the CEO,” says Ted Julian, chief marketing officer at Cambridge, Mass.-based Co3 Systems, “yet that is the most dramatic indicator that a company takes its security seriously.”
“Giving CISOs that kind of executive responsibility is not widely adopted,” agrees Bob West, chief trust officer at CipherCloud, based in San Jose, Calif. “Most CISOs still don't have that kind of visibility. Systemic issues still abound in that area.”
John Johnson, global security strategist at John Deere, the equipment manufacturing giant based in Moline, Ill., admits that his company does not even have a CISO, and says he sees few as he looks across the manufacturing sector. “Most manufacturers are struggling to improve and adapt, and swimming against the tide of lean IT budgets and resource shortages,” he says. “As such, security started as a function of IT and remains under the CIO.”
That line of reporting can work, says Leek, as long as the person the CISO reports to is the kind of executive who makes things happen when needed. “You need to team up with the right business leader to ensure your voice gets heard,” he says.
Unfortunately, based on the results of a new study, the voices from the security department are not generally getting heard. According to research conducted by the Ponemon Institute and sponsored by FireMon, only six percent of security professionals surveyed report being highly effective at communicating risk factors to senior management. Twenty-nine percent say they never communicate with senior executives, and 31 percent say the only time they meet with those in the C-suite is when a serious risk has been discovered. Seventy-one percent say communication occurs at too low a level to be effective, and more than half of respondents admit to filtering negative facts before talking to senior executives.
“The survey reveals there is a lack of understanding of what's important and how it should be measured,” says Jody Brazil, FireMon's president and chief technology officer. “Most security professionals are invisible until they are forced to disrupt the flow of regular business, and disruption is seldom viewed as positive by those in charge.”
Despite these findings, Leek (left) believes awareness of the importance of security to companies' overall welfare is increasing. “The conversation has been changing over the past two or three years,” he says. “The highly publicized breaches have changed the way that business leaders and boards of directors look at things.”
Tim Smith says it depends on which senior executive you are talking to. The interim CEO and executive director of the 76,000-member Canadian Medical Association (CMA) says digital security is seldom a topic of conversation among the peers he meets, but agrees with Leek that disasters have heightened awareness among those who manage high-risk organizations. As an example, he points to a fire at the headquarters of MD Physician Services, the CMA's wealth management subsidiary.
“We had a very strong disaster-recovery plan in place, and despite having to abandon the building and force employees to work externally for a number of months, the security of our clients' data was never at risk.”
Smith says he has fielded a number of inquiries about risk avoidance and recovery processes since the fire. “It hits home with business leaders when there is a cost factor involved.”
But, Julian (left) says that CISOs would find the doors to the boardroom open to them more often if they put their reports in terms that business leaders understand, such as potential cost to the business and comparisons to industry averages.
“CISOs need to take the reins and define the metrics by which they want to be measured,” he says. “Ground your concerns and recommendations in business issues, and provide metrics that board members can relate to. A lot of boards are there now. They're concerned about liability, but they want to know how to effectively avoid risk.”
It is also important, he says, to avoid the data breach equivalent of crying wolf – ensuring that executives clearly understand how many threats are real, and which ones are related to sensitive digital assets and what their value is. “Get the kind of data they can relate to in the C-suite,” he says.
Getting the message across is also important, adds Johnson. “We need to be better at communicating IT security risk to our executives, in a way they can understand and appreciate. This means we need to assess and explain the risk, and align our projects and services with business objectives.”
West says that, too often, security professionals are viewed as “the geek in the corner” because they don't speak the same language as senior executives. Both he and Leek point to the traditional corporate general counsel as a useful role model for CISOs who want their advice to be heard and seriously regarded.
“Senior executives need that kind of objective opinion and the opportunity to have a dialogue that helps them weigh their options and make a decision,” says West.
Smith agrees that that kind of input is becoming an essential element in sound business management, and says substantive governance adjustments are required to make it effective.
“It's a big area of change,” he says. “To make it work, you need to involve security professionals at the early stages of planning and ensure they're at the table shoulder to shoulder with you before problems occur.”
Rather than sitting back, waiting for the senior management team to recognize their value to the organization and invite them in, Johnson says the onus is on security professionals to change the model.
“The blame is shared when a company doesn't see the value of the security team,” he says, “but mostly it is our fault for not explaining why we need an elevated role. There is only so much we can accomplish, and only so quickly we can manifest change, if we are trying to do it from the bottom up.”
He says organizations need to designate a security executive who is in a position to lead from the top down, and – as Smith suggests – be involved in strategic planning.
But, do security professionals possess the strategic, critical thinking and communications skills required to take a seat at the leadership table?
“The stereotypical path to CISO is through IT,” says Julian, “but a different set of skills are needed if they want to take corporate leadership roles. They need to find ways to address their shortcomings, but it's a two-way street. Their organizations need to support the change.”
He says a lot of CISOs become frustrated because their companies talk a good game about adding technically minded people at the upper echelon, but when it comes to advanced training, mentoring and exposing managers to different parts of the organization, those opportunities continue to be reserved for ambitious ladder-climbers with legal, accounting or entrepreneurial backgrounds.
Eric Chiu (right), president of HyTrust in Mountain View, Calif., believes companies should consider other models of training for prospective leaders. “IT has traditionally been a support or enabling function, brought in to support the growth of business. The Japanese method of business has long been to expose managers to all aspects of a company with a goal of creating understanding and harmony.”
Although he says it makes sense for U.S. companies to expose future leaders to critical functions of security and IT, he believes it will take time for that to happen.
Johnson also thinks that change will take time, “but I don't think this is going to take a generation. We need to stop being the technical experts, and develop business skills and learn to communicate and market security more effectively. We no longer have the luxury of making incremental change, year by year.”
Like any key management role, making it to the top will depend on both the person in the position and the level of power they are allowed to exercise, says Chiu. “A person with the right leadership skills, as well as the right training and technical depth, will be critical to have an impact.”
But, could the time come when companies will begin to look at demanding that prospective CEOs or COOs have technical experience as well as exposure to marketing and corporate governance? Smith, whose own background includes a stint running the CMA's eHealth software business unit, believes smart companies will broaden their horizons.
“I think we need a new career-path model,” he says. “I look at my 12-year-old son. He lives completely in the cyber world. He and his friends are collaborating digitally on school projects. People his age will soon be our customers, and organizations need to prepare for this new world.”
Leek agrees that the climate is right for change to occur at the top level of business. “Companies now recognize that being able to recover from a data breach is more difficult,” he says. “It's not just about lost business, it's a blow to your brand value. Understanding that technology is now a business function is essential, so it follows that it's vital that CEOs understand technology.”
There is agreement among industry observers that the first step is putting security professionals in a direct line of reporting to the top, which often means moving them out from under the traditional IT establishment.
Johnson points to his own company as an example. Although John Deere does not have a CISO, the company has decided to recruit a security director with executive-level authority. Johnson predicts this will become more common, if security professionals can make the case that they belong at the table. “In time, if the security organization can demonstrate they have earned a seat in the C-suite, we will see more CISO titles and more security organizations that are not under the CIO.”