Security officers must reach executives, says Deven Bhatt, CISO of WEX. Karen Epper Hoffman reports.
A couple of months ago, Mark Weatherford was leading a security briefing with a group of chief executive officers. Weatherford, the deputy undersecretary for cyber security at the U.S. Department of Homeland Security, suggested that they should pose some of the questions raised during the meeting to their own chief security officers (CSOs) or chief information security officers (CISOs).
That's when a couple of those in attendance admitted to Weatherford that they didn't know who their security officers were.
In this era of sophisticated attacks, disruptive technologies – such as mobile and cloud – and continued compliance hurdles, why can't CISOs and CSOs get the respect they deserve? There's little question that between the quantity and prominent profile of many recent security breaches, the need for consistent and effective security policy is there. Case in point: Cyber attacks on federal agencies alone increased more than 650 percent between 2006 and 2011, according to a report from the U.S. Government Accountability Office, which performs audits for Congress.
While the profile of the top security officer at many companies has evolved quite a bit, Deven Bhatt, vice president and CISO for WEX, a corporate card payment solutions company based in Portland, Maine, still sees the majority of CSOs struggling for recognition, funding and resources throughout industry. Often, though, adds Bhatt, this problem is more acute for “companies without mature information security and governance programs [that] are often put in the position of responding tactically rather than strategically and proactively.”
“It's always seemed to me that technology trumps security. Features trump good security planning.”
The role of the security head, much like the roles of chief information officer (CIO) and even, arguably, the chief financial officer (CFO) in decades past, seems to be something of a conundrum. While few would question the need for an executive to identify, develop and implement security processes across an organization, the issue of where they fit in the hierarchy of some companies and agencies is still unclear. And, as a result, security planning can suffer.
“The funding challenge is the biggest,” says Bhatt, who, over the course of his 22-year career in security management, has typically reported to the company's president or CEO, with periodic reporting to the board of directors. But, he says he has witnessed many fellow security executives tucked away under layers of management, unable to communicate their message to the executives at the top and, ultimately, lacking the budget and personnel they need to build an effective cyber security network.
Still, says Bhatt: “CISOs that can make a strong risk-based business case for funding are usually successful, however, finding the skilled resources can be challenging.”
Weatherford, a longtime security officer in state and federal government and the utility sector, says he's been fortunate to have had a level of control and access to resources throughout his career, which includes serving as CISO for the states of Colorado and California. “I do believe it's a bit unusual,” Weatherford says. “I happened to be at the right place at the right time.” He adds that CSOs in other states did not necessarily have the support he did.
“I attribute my success to having the support of the senior executives, even when they didn't understand all the technical details,” Weatherford says.
Generally, security is low on the totem pole, says Bob Russo, general manager of the PCI Security Standards Council, which works with the credit card brands to drive awareness and adoption of the PCI Data Security Standard. “It's like selling insurance. As far as the people who handle the money are concerned, it doesn't add to their bottom line.”
Indeed, the role of security information officer is relatively new to the scene, and, like Russo's insurance analogy, not something many executives think about until they need it. “Security is not a standardized profession,” says Nils Puhlmann, who until September served as CSO at Zynga, a San Francisco-based provider of online games. “Security is actually fairly new to a lot of companies [that] haven't paid too much attention to it until something happens.”