At RSA Conference 2015, the record crowd of over 33,000 attendees heard many repeated themes such as attribution, visibility, and detection. They also heard about front doors, back doors, and locked doors. Among the 290 sessions presented by more than 700 speakers, one of the main themes that emerged was: Security Has Arrived at the Board Room.
Yes, more than ever before, executive boards are paying attention to security. Security professionals now have a unique opportunity to communicate to an attentive audience the impact of security on a business’ long-term success.
A panel of experts at RSA emphasized this opportunity and urged security leaders to learn the language of business. New security leaders must adapt quickly to prove their worth to the board. If effective, security professionals might obtain more budget and resources to address some of the holes that have long existed.
A Small Window to Prove InfoSec’s Worth
Both the frequency and high-profile nature of recent data breaches have gained attention from high-level executives. While unfortunate and many times preventable, these events have certainly raised awareness. Board members want to know how an investment in tighter security will strengthen a business’ outlook.
“We have, for once, the attention of the people we’ve been screaming at and have been ignoring us for years,” said Tenable Network Security strategist Jack Daniel at a panel of experts at RSA. “We have this small window to prove we’re up to the task, or they’re going to move forward and leave us behind again.”
Now that security issues have made it to board room discussions, some wonder whether security managers are ready to handle the increased attention and scrutiny.
Many New CISOs in Unchartered Territory
Trey Ford, global security strategist for Rapid 7, talked about an event he spoke at where of the 1,400 security managers in attendance, 1,000 were new to the CISO role and were the first CISO ever at their organization.
“We’ve found ourselves in the C-suite; now, where’s the playbook? We’re now . . . learning the language of business,” Ford said.
For many newly minted CISOs, this will require visibility into the organization in a more holistic, big-picture way than ever before. Successful outcomes will require security professionals to communicate more often with other business units and reach out to understand their needs and goals.
Security professionals need to be viewed as more than the people who deny access to networks, devices, and applications. These employees need to educate and build relationships across the organization.
To talk business with the board and C-suite, they’ll need to have ways of monitoring and communicating the key security data that management can realize as affecting business growth.
This means that as security for the IoT, the push toward full encryption and authentication on the web with TLS/SSL, and better attribution and threat intelligence move forward, new CISOs will need ways of continuously collecting and monitoring such data.
Armed with this data, they’ll need to deliver the risk analysis in ways that the C-suite and board can understand and support. CISOs need smart sensors and tools for tracking digital certificates, network intrusion, authentication on a myriad of devices and objects, and many other areas.
Evolving from Technical Experts to Business Leaders
Armed with security knowledge and the data to back up the need for investment in security, these CISOs can be effective in pushing forward DevOps and other programs within their organization. To do so, they’ll have to approach other departments softly and help build their case over time.
Katie Moussouris, chief policy officer for HackerOne, said, “A lot of us who once flew hacker flags are now in charge of large security organizations. We’ve graduated and matriculated into the ruling class of security.”
Moussouris urged security not to go to the board with guns blazing intent on making security the organization’s number-one priority. Rather, she advised finding a place as a trusted source of support for company leaders, and remind them that business success requires trustworthiness and respect of consumer privacy to make money.
Security leaders can reinforce values that earn consumer loyalty and also help protect key company investments in branded properties.
Jack Daniel added that, “Those of us on this panel, we’re all people with one foot in each camp [technical and business], and the more we can bridge that gap, the better off we’ll be. There are a lot of ostriches out there, and more of us need to realize that we can’t afford to alienate anymore.”
Smarter Solutions for a New Era of InfoSec
Echoing the sentiments of these panelists, DigiCert is working hard help security shine in a bigger role. This involves innovating new ways to simplify the management of digital certificates and help organizations optimize their deployment with best practices and actionable data.
Given the many challenges of CISOs in an evolving role, and the opportunity for security to shine, organizations can benefit from smart sensors and tools that meet their budgetary needs while providing the sort of intelligence that the board requires.
The new CISO is a business leader and a technologist. She conveys security value to the board with up-to-date information. In this new era for security, transactional data is at her fingertips. Let’s seize this moment to take giant steps forward in assuring security’s long-term future in the board room and advancing the state of security for all.