Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity
    • Networking
    • Storage

    CSOs Should Address Risks and Network Visibility With Board of Directors

    Written by

    Fahmida Y. Rashid
    Published December 28, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Thanks to the number of high-profile security incidents and breaches in 2011, corporate boards and senior executives are thinking about security more than ever as they hammer out budget details and resource allocations for 2012.

      As part of these discussions, many boards of directors, often for the first time, are asking CSOs and chief information security officers (CISOs) detailed questions about what went well and what didn’t within the origanization, Jason Clark, the CSO of Websense, told eWEEK. Spurred by news headlines, the directors are interested in making sure the company is secure against similar incidents, Clark said.

      Most CISOs have also never had to speak directly to the board in the past, according to Clark. Generally, the CIO would present the results of the company-wide audit and give a high-level overview of what the audit had found and what was being done as a result. It was a rare instance where the CSO was asked in detail about the company’s efforts to improve its security stance or to prevent data breaches.

      “As companies got compromised, organizations realized they have to talk more about security,” Clark said.

      This trend was also reflected in a recent Security Pros and Cons survey, 91 percent of IT security managers said that new levels of management have initiated data security conversations in the last year, Websense found.

      CISOs often are not as well-versed in talking about business, or discussing security risks in context that business would understand, Stephanie Balaouras, principal analyst and research director at Forrester Research, told eWEEK. They have a strong IT background, but have had to learn to “speak business” in the past two years, she said. In the past year, one of the most commonly downloaded whitepapers from Forrester Research was on how to discuss security with the board of directors, Balaouras said.

      Clark noted that CSOs have come a long way. They have gotten better “out of necessity” at having business discussions about security, he said. However, they still need to become more business savvy, and encourage the rest of the IT team to work with business teams to understand the goals, Clark said.

      CISOs are getting asked about targeted attacks, malware and data breaches, but the people asking those questions don’t really know what these terms actually mean, according to Clark. Very few board members have a security background and can easily get overwhelmed with jargon or technical details, Clark warned. As a result, CSOs should avoid industry or technology jargon when addressing the board. If the directors request technical details, the CSO should explain the terms in the same way it would be explained to a family member, Clark said.

      CSOs should rely on numbers and specific statistics to explain the situation, by citing how many attacks were stopped, how many new programs were implemented and how many pieces of confidential data were protected from being leaked. It’s often best for the CSO to equate security to dollars and cents, Clark said.

      “Or as I often refer to it, ‘dollars and sense,'” he said.

      Clark also recommended CISOs use images to illustrate specific security issues. For example, the CSO could create a mashup using Google Earth to illustrate which geographic locations are more at risk from attackers, based on the current security deployments.

      Before making a presentation to the board, CISOs should think about their top five concerns for the year. While organizations vary in their level of risk tolerance and needs, there were three areas that Clark felt were important to all CSOs when talking with the board.

      Organizations have to “protect the blind spot,” Clark said, noting that very few have any visibility in what is happening with mobile devices in the enterprise, the kind of cloud services being used by their employees and network traffic.

      More employees are using mobile devices in the enterprise, but IT departments often don’t have the tools that allow them to track what devices are being used, what applications are being accessed and who is using them, according to Clark. “Risks have gotten higher and we’ve done nothing to mitigate that,” he said.

      In a similar way, the proliferation of cloud applications, especially consumer services such as Dropbox and Box.net, means IT departments generally have no idea how much of sensitive corporate data are residing on public servers without proper data security controls.

      The final “black box” refers to the fact that a greater portion of network traffic is encrypted. In the past, about 10 percent of network traffic was encrypted. With increased concerns about attackers intercepting data via man-in-the-middle attacks, more services, such as Google’s Gmail, have adopted SSL by default, resulting in about 60 percent of network traffic being encrypted, Clark said. That’s more than half of the traffic flowing in and out of the organizations’ networks that IT staff have no visibility into.

      The increase in the amount of encrypted traffic “kills” the organization’s ability to detect malware, especially since many criminals have started using encrypted tunnels to communicate with command-and-control infrastructure and to transfer stolen data, according to Clark.

      CISOs also need to talk with the boards about how to secure email and check both inbound and outbound communications. Many organizations have old technology to secure these critical channels but should be investing in more innovative techniques, Clark said.

      Finally, CSOs need to talk to the board about the need for security intelligence so that the IT professionals are aware of what is happening in all areas of the network. Actionable information is necessary in order to address risks and respond to threats in a timely manner, Clark said.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×