RSA Conference 2012: Breaches help in C-suite communication

Share this article:

With all the mainstream attention being paid to cyber threats and breaches, executives are finally getting the message that security matters, according to a Wednesday panel at the RSA Conference in San Francisco.

C-suite officers at last understand the impact on earnings an incident can have, so they are asking about the state of preparedness.

Thus, security pros must understand how to communicate effectively with their bosses to not only explain the threats, but also to make the case for budget, said David McCue, corporate VP and global CISO of Computer Sciences Corp. (CSC).

Bill Phelps, who heads security consulting at Accenture, agreed, saying that many non-technical executives formerly had little awareness of what cyber threats meant to their organization.

“The discussion around probability and consequences has changed,” he said.

Gary McAlum, CSO of insurance firm USAA, said security pros can talk about breaches and compliance regulations in the board room, but when it comes down to the bottom line, reputation and brand are the drivers.

“We need a continuing process of education,” he said. "Otherwise there are significant consequences.”

Dave Cullinane, CISO and VP of global fraud, risk and security at eBay, echoed this sentiment, saying that CISOs have to get better at communicating with their CEO to inform them regularly on what's going on from a security perspective. This will prepare them to speak with the press in the event of an incident.

“We have to quantify the risk posture and have a good discussion around risk tolerance to demonstrate ROI in reducing fraud and the number of incidents,” he said.

Eddie Schwartz, VP and CISO at RSA, whch itself experienced a high-profile breach last year, made the case that discussions with higher-ups need to be more business-oriented so to not baffle executives with a lot of jargon.

Citing the breach last year at his company, he spoke of the lessons learned. While security people understand incident management, crisis management is an entirely different beast, he said. At RSA, a team was put together to gather analytics to show the impact of the breach, and to look at all sides of the situation.

As far as what needs to be done to thwart future attacks, Cullinane said security pros must stop reacting to external attacks and instead need to get in front of the economic model which the cyber criminals use. That is, from observing their patterns of attack, be prepared to know where and how they might try to breach their next target.

Further, security personnel need to change their behavior to develop stronger instincts about what looks “off,”  Phelps said.

“People need to become more attuned to security risks," he said. "We have to change culturally."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.