CSOs Should Address Risks and Network Visibility With Board of Directors
Thanks to the number of high-profile security incidents and breaches in 2011, corporate boards and senior executives are thinking about security more than ever as they hammer out budget details and resource allocations for 2012.
As part of these discussions, many boards of directors, often for the first time, are asking CSOs and chief information security officers (CISOs) detailed questions about what went well and what didn't within the origanization, Jason Clark, the CSO of Websense, told eWEEK. Spurred by news headlines, the directors are interested in making sure the company is secure against similar incidents, Clark said.
Most CISOs have also never had to speak directly to the board in the past, according to Clark. Generally, the CIO would present the results of the company-wide audit and give a high-level overview of what the audit had found and what was being done as a result. It was a rare instance where the CSO was asked in detail about the company's efforts to improve its security stance or to prevent data breaches.
"As companies got compromised, organizations realized they have to talk more about security," Clark said.
This trend was also reflected in a recent Security Pros and Cons survey, 91 percent of IT security managers said that new levels of management have initiated data security conversations in the last year, Websense found.
CISOs often are not as well-versed in talking about business, or discussing security risks in context that business would understand, Stephanie Balaouras, principal analyst and research director at Forrester Research, told eWEEK. They have a strong IT background, but have had to learn to "speak business" in the past two years, she said. In the past year, one of the most commonly downloaded whitepapers from Forrester Research was on how to discuss security with the board of directors, Balaouras said.
Clark noted that CSOs have come a long way. They have gotten better "out of necessity" at having business discussions about security, he said. However, they still need to become more business savvy, and encourage the rest of the IT team to work with business teams to understand the goals, Clark said.
CISOs are getting asked about targeted attacks, malware and data breaches, but the people asking those questions don't really know what these terms actually mean, according to Clark. Very few board members have a security background and can easily get overwhelmed with jargon or technical details, Clark warned. As a result, CSOs should avoid industry or technology jargon when addressing the board. If the directors request technical details, the CSO should explain the terms in the same way it would be explained to a family member, Clark said.
CSOs should rely on numbers and specific statistics to explain the situation, by citing how many attacks were stopped, how many new programs were implemented and how many pieces of confidential data were protected from being leaked. It's often best for the CSO to equate security to dollars and cents, Clark said.
"Or as I often refer to it, 'dollars and sense,'" he said.
Clark also recommended CISOs use images to illustrate specific security issues. For example, the CSO could create a mashup using Google Earth to illustrate which geographic locations are more at risk from attackers, based on the current security deployments.
Before making a presentation to the board, CISOs should think about their top five concerns for the year. While organizations vary in their level of risk tolerance and needs, there were three areas that Clark felt were important to all CSOs when talking with the board.
Organizations have to "protect the blind spot," Clark said, noting that very few have any visibility in what is happening with mobile devices in the enterprise, the kind of cloud services being used by their employees and network traffic.
More employees are using mobile devices in the enterprise, but IT departments often don't have the tools that allow them to track what devices are being used, what applications are being accessed and who is using them, according to Clark. "Risks have gotten higher and we've done nothing to mitigate that," he said.
In a similar way, the proliferation of cloud applications, especially consumer services such as Dropbox and Box.net, means IT departments generally have no idea how much of sensitive corporate data are residing on public servers without proper data security controls.
The final "black box" refers to the fact that a greater portion of network traffic is encrypted. In the past, about 10 percent of network traffic was encrypted. With increased concerns about attackers intercepting data via man-in-the-middle attacks, more services, such as Google's Gmail, have adopted SSL by default, resulting in about 60 percent of network traffic being encrypted, Clark said. That's more than half of the traffic flowing in and out of the organizations' networks that IT staff have no visibility into.
The increase in the amount of encrypted traffic "kills" the organization's ability to detect malware, especially since many criminals have started using encrypted tunnels to communicate with command-and-control infrastructure and to transfer stolen data, according to Clark.
CISOs also need to talk with the boards about how to secure email and check both inbound and outbound communications. Many organizations have old technology to secure these critical channels but should be investing in more innovative techniques, Clark said.
Finally, CSOs need to talk to the board about the need for security intelligence so that the IT professionals are aware of what is happening in all areas of the network. Actionable information is necessary in order to address risks and respond to threats in a timely manner, Clark said.