Leave behind technological baggage and build business, says Verdasys' Emeric Miszti.
Sometime after Y2K, the CIO position began to progress from tactical operations to more strategic company leadership. This evolution is still underway. It's the type of “evolve or die” transition that happens when companies spend billions of dollars on fixing a problem that either wasn't fixed or wasn't there.
Something similar appears to be happening to the CSO/CISO position. Many of us in security and with technical backgrounds have found our biases toward solving problems by protecting technology infrastructure with a focus on availability of servers, network devices and applications. This has left us with inadequate knowledge of business processes and a poor understanding of how data is handled. We are simply not equipped to deal with the tide of data loss at our shores.
A crippling security breach blew my own career in a new direction in 2002, when a denial of service attack against the ISP I helped to found was so damaging to our cash flow that we were forced to sell our operations in a fire-sale situation. The business dislocation and reputational effects of this type of experience are quickly apparent to any company that suffers a serious data loss incident. Cyber terrorism propelled me into the security business, where I started to understand why large organizations were not winning the fight to protect their sensitive information.
The problem is partly organizational. The typical CISO reports through IT, and IT-based security departments are accustomed to dealing with problems using firewalls, IDS, gateways and VPNs, and by firefighting against viruses, worms, hacking and DOS attacks with point products that address the tactical threats at hand. Our expertise tends to be weak in applications and secure applications development – often where the most critical data resides, and even weaker in understanding the business processes those applications drive, let alone understand what and where sensitive data is, what the user is doing with it, where it is going and what security action is appropriate.Mounting evidence of huge scale data losses, across all industries, demonstrates that current approaches have failed and the current course CISOs and security teams have set is simply dead in the water.
The CISO who wants to not only survive but thrive will reach out to new and natural allies within the organization and become a true business asset by combining business understanding with technical knowledge – becoming a bridge between security, technology and business. The approach must be data-centric, rather than technology-centric - discovering where the data is and understanding its value and how it is used.
In much the same way that the CIO has learned to understand the business processes of his or her organization, the CISO must develop a similar in-depth knowledge. This will allow a new breed of CISOs to measure and quantify the risk of these processes and to effectively build controls into them that enable the business to continue working with their essential processes intact while mitigating risks of data loss – increasing the likelihood that the strategies will be met with a positive reception.Where can security enhance business processes, who are your natural allies and where can you add the most value? Here are some examples:
One need only look to the lessons learned by CIOs to see how great the opportunity is for CISOs who leave behind their technological baggage and focus on building opportunities for their business to work more effectively. In this way, security professionals will find themselves in the enviable position of spending less time running after security failures and more time figuring out how security can help run the business.Compliance: auditors may understand regulations but often lack an understanding of technology effectiveness. The CISO can align regulatory controls and technology holistically across business processes.
Legal and IP departments: The CISO can be a trusted advisor add value in the areas of data collaboration and forensic investigations.Human resources: The CISO can define and deploy technology and processes that monitor policy compliance and identify dangerous user behavior and risky practices.
Third-party relationship managers: The CISO can define and deploy controls needed for global IP protection, user management and compliance.Fraud prevention, risk and operations: The CISO can help align and integrate business processes and security policies for greatest value.
Emeric Miszti is VP EIP customer strategy at Verdasys.
