Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking
    • Storage

    CSOs Should Address Risks and Network Visibility With Board of Directors

    By
    Fahmida Y. Rashid
    -
    December 28, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Thanks to the number of high-profile security incidents and breaches in 2011, corporate boards and senior executives are thinking about security more than ever as they hammer out budget details and resource allocations for 2012.

      As part of these discussions, many boards of directors, often for the first time, are asking CSOs and chief information security officers (CISOs) detailed questions about what went well and what didn’t within the origanization, Jason Clark, the CSO of Websense, told eWEEK. Spurred by news headlines, the directors are interested in making sure the company is secure against similar incidents, Clark said.

      Most CISOs have also never had to speak directly to the board in the past, according to Clark. Generally, the CIO would present the results of the company-wide audit and give a high-level overview of what the audit had found and what was being done as a result. It was a rare instance where the CSO was asked in detail about the company’s efforts to improve its security stance or to prevent data breaches.

      “As companies got compromised, organizations realized they have to talk more about security,” Clark said.

      This trend was also reflected in a recent Security Pros and Cons survey, 91 percent of IT security managers said that new levels of management have initiated data security conversations in the last year, Websense found.

      CISOs often are not as well-versed in talking about business, or discussing security risks in context that business would understand, Stephanie Balaouras, principal analyst and research director at Forrester Research, told eWEEK. They have a strong IT background, but have had to learn to “speak business” in the past two years, she said. In the past year, one of the most commonly downloaded whitepapers from Forrester Research was on how to discuss security with the board of directors, Balaouras said.

      Clark noted that CSOs have come a long way. They have gotten better “out of necessity” at having business discussions about security, he said. However, they still need to become more business savvy, and encourage the rest of the IT team to work with business teams to understand the goals, Clark said.

      CISOs are getting asked about targeted attacks, malware and data breaches, but the people asking those questions don’t really know what these terms actually mean, according to Clark. Very few board members have a security background and can easily get overwhelmed with jargon or technical details, Clark warned. As a result, CSOs should avoid industry or technology jargon when addressing the board. If the directors request technical details, the CSO should explain the terms in the same way it would be explained to a family member, Clark said.

      CSOs should rely on numbers and specific statistics to explain the situation, by citing how many attacks were stopped, how many new programs were implemented and how many pieces of confidential data were protected from being leaked. It’s often best for the CSO to equate security to dollars and cents, Clark said.

      “Or as I often refer to it, ‘dollars and sense,'” he said.

      Clark also recommended CISOs use images to illustrate specific security issues. For example, the CSO could create a mashup using Google Earth to illustrate which geographic locations are more at risk from attackers, based on the current security deployments.

      Before making a presentation to the board, CISOs should think about their top five concerns for the year. While organizations vary in their level of risk tolerance and needs, there were three areas that Clark felt were important to all CSOs when talking with the board.

      Organizations have to “protect the blind spot,” Clark said, noting that very few have any visibility in what is happening with mobile devices in the enterprise, the kind of cloud services being used by their employees and network traffic.

      More employees are using mobile devices in the enterprise, but IT departments often don’t have the tools that allow them to track what devices are being used, what applications are being accessed and who is using them, according to Clark. “Risks have gotten higher and we’ve done nothing to mitigate that,” he said.

      In a similar way, the proliferation of cloud applications, especially consumer services such as Dropbox and Box.net, means IT departments generally have no idea how much of sensitive corporate data are residing on public servers without proper data security controls.

      The final “black box” refers to the fact that a greater portion of network traffic is encrypted. In the past, about 10 percent of network traffic was encrypted. With increased concerns about attackers intercepting data via man-in-the-middle attacks, more services, such as Google’s Gmail, have adopted SSL by default, resulting in about 60 percent of network traffic being encrypted, Clark said. That’s more than half of the traffic flowing in and out of the organizations’ networks that IT staff have no visibility into.

      The increase in the amount of encrypted traffic “kills” the organization’s ability to detect malware, especially since many criminals have started using encrypted tunnels to communicate with command-and-control infrastructure and to transfer stolen data, according to Clark.

      CISOs also need to talk with the boards about how to secure email and check both inbound and outbound communications. Many organizations have old technology to secure these critical channels but should be investing in more innovative techniques, Clark said.

      Finally, CSOs need to talk to the board about the need for security intelligence so that the IT professionals are aware of what is happening in all areas of the network. Actionable information is necessary in order to address risks and respond to threats in a timely manner, Clark said.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×