With all the mainstream attention being paid to cyber threats and breaches, executives are finally getting the message that security matters, according to a Wednesday panel at the RSA Conference in San Francisco.
C-suite officers at last understand the impact on earnings an incident can have, so they are asking about the state of preparedness.
Thus, security pros must understand how to communicate effectively with their bosses to not only explain the threats, but also to make the case for budget, said David McCue, corporate VP and global CISO of Computer Sciences Corp. (CSC).
Bill Phelps, who heads security consulting at Accenture, agreed, saying that many non-technical executives formerly had little awareness of what cyber threats meant to their organization.
“The discussion around probability and consequences has changed,” he said.
Gary McAlum, CSO of insurance firm USAA, said security pros can talk about breaches and compliance regulations in the board room, but when it comes down to the bottom line, reputation and brand are the drivers.
“We need a continuing process of education,” he said. "Otherwise there are significant consequences.”
Dave Cullinane, CISO and VP of global fraud, risk and security at eBay, echoed this sentiment, saying that CISOs have to get better at communicating with their CEO to inform them regularly on what's going on from a security perspective. This will prepare them to speak with the press in the event of an incident.
“We have to quantify the risk posture and have a good discussion around risk tolerance to demonstrate ROI in reducing fraud and the number of incidents,” he said.
Eddie Schwartz, VP and CISO at RSA, whch itself experienced a high-profile breach last year, made the case that discussions with higher-ups need to be more business-oriented so to not baffle executives with a lot of jargon.
Citing the breach last year at his company, he spoke of the lessons learned. While security people understand incident management, crisis management is an entirely different beast, he said. At RSA, a team was put together to gather analytics to show the impact of the breach, and to look at all sides of the situation.
As far as what needs to be done to thwart future attacks, Cullinane said security pros must stop reacting to external attacks and instead need to get in front of the economic model which the cyber criminals use. That is, from observing their patterns of attack, be prepared to know where and how they might try to breach their next target.
Further, security personnel need to change their behavior to develop stronger instincts about what looks “off,” Phelps said.
“People need to become more attuned to security risks," he said. "We have to change culturally."