Security officers must reach executives, says Deven Bhatt, CISO of WEX. Karen Epper Hoffman reports.
A couple of months ago, Mark Weatherford was leading a security briefing with a group of chief executive officers. Weatherford, the deputy undersecretary for cyber security at the U.S. Department of Homeland Security, suggested that they should pose some of the questions raised during the meeting to their own chief security officers (CSOs) or chief information security officers (CISOs).
That's when a couple of those in attendance admitted to Weatherford that they didn't know who their security officers were.
In this era of sophisticated attacks, disruptive technologies – such as mobile and cloud – and continued compliance hurdles, why can't CISOs and CSOs get the respect they deserve? There's little question that between the quantity and prominent profile of many recent security breaches, the need for consistent and effective security policy is there. Case in point: Cyber attacks on federal agencies alone increased more than 650 percent between 2006 and 2011, according to a report from the U.S. Government Accountability Office, which performs audits for Congress.
While the profile of the top security officer at many companies has evolved quite a bit, Deven Bhatt, vice president and CISO for WEX, a corporate card payment solutions company based in Portland, Maine, still sees the majority of CSOs struggling for recognition, funding and resources throughout industry. Often, though, adds Bhatt, this problem is more acute for “companies without mature information security and governance programs [that] are often put in the position of responding tactically rather than strategically and proactively.”
“It's always seemed to me that technology trumps security. Features trump good security planning.”
The role of the security head, much like the roles of chief information officer (CIO) and even, arguably, the chief financial officer (CFO) in decades past, seems to be something of a conundrum. While few would question the need for an executive to identify, develop and implement security processes across an organization, the issue of where they fit in the hierarchy of some companies and agencies is still unclear. And, as a result, security planning can suffer.
“The funding challenge is the biggest,” says Bhatt, who, over the course of his 22-year career in security management, has typically reported to the company's president or CEO, with periodic reporting to the board of directors. But, he says he has witnessed many fellow security executives tucked away under layers of management, unable to communicate their message to the executives at the top and, ultimately, lacking the budget and personnel they need to build an effective cyber security network.
Still, says Bhatt: “CISOs that can make a strong risk-based business case for funding are usually successful, however, finding the skilled resources can be challenging.”
Weatherford, a longtime security officer in state and federal government and the utility sector, says he's been fortunate to have had a level of control and access to resources throughout his career, which includes serving as CISO for the states of Colorado and California. “I do believe it's a bit unusual,” Weatherford says. “I happened to be at the right place at the right time.” He adds that CSOs in other states did not necessarily have the support he did.
“I attribute my success to having the support of the senior executives, even when they didn't understand all the technical details,” Weatherford says.
Generally, security is low on the totem pole, says Bob Russo, general manager of the PCI Security Standards Council, which works with the credit card brands to drive awareness and adoption of the PCI Data Security Standard. “It's like selling insurance. As far as the people who handle the money are concerned, it doesn't add to their bottom line.”
Indeed, the role of security information officer is relatively new to the scene, and, like Russo's insurance analogy, not something many executives think about until they need it. “Security is not a standardized profession,” says Nils Puhlmann, who until September served as CSO at Zynga, a San Francisco-based provider of online games. “Security is actually fairly new to a lot of companies [that] haven't paid too much attention to it until something happens.”
Tech trumps security
The CSO often is in a position where their powers and voice are limited from the get-go. Industry observers say it is still routine practice for many companies and government agencies to place the CSO or CISO under the CIO, or even deep within the IT group. While top technology executives arguably have a care for security, it is not always their main priority, or the one that they are judged on – occasionally putting them at odds with the security officer.
“The chief information officer may have a conflict of interest, which may create issues for the chief information security officer,” Bhatt says. “C-suite officers regularly juggle numerous and often competing priorities and must work together balancing the risk to meet business objectives.”
Michael Frederick, CEO for The Frederick Group, a Dallas-based security consultancy, says it is fairly common in the health care industry for the top security officer to report to the CIO or the chief compliance officer (CCO). For the most part, security leaders are positioned at the director level, generally two steps below the C-level, says Frederick, who is a former health care industry CISO with more than 20 years of information security experience. “I have not come across any reporting to the CEO.” It's rare to see a CSO who has a seat at the grownups' table, he adds.
While Frederick does not anticipate a trend where security officers will begin reporting to the CEO directly, he says they should be seen more as peers to the CIO, rather than playing a role within the CIO's group. “Security will become more important when more entities move it out from under IT,” he says. Otherwise, when push comes to shove, the customer will come first and security second.
Robert Bigman, CEO of 2BSecure, a security consultancy based in Bethesda, Md., agrees. “It's always seemed to me that technology trumps security,” he says. “Features trump good security planning.”
“No company is going to spend six cents to save a nickel. It comes down to communication. You have to be able to defend a budget.”
Bigman points out that in several of his colleagues' organizations, security officers typically are only involved after the fact, or not at all. Another potential problem with placing security under the IT department, he says, is that CIOs often save the best people and the greater part of allocated resources for their own technology projects, not for security initiatives. But Bigman doesn't place the blame on the CIO either, whose job description and review are not typically tied to security performance.
That said, other experts say it's not always about where the CSO or CISO works or how they are viewed by their peers and higher-ups, including the CIO. Weatherford, for example, says he worked for two different CIOs during his time serving as a CSO. “It worked very well for me and I got along well with [the CIO] and was able to convince them of the necessity of what I was doing,” he says.
But, such is not always the case, he admits. “I have colleagues who worked for CIOs who had horrible relationships and had to fight for everything they did,” he says. “There's validity to the concerns, as the CIO and CSO have a bit of competing goals.”
The relative power and prestige of the CSO or CISO can vary by vertical. While there are no hard and fast rules, observers say that in more regulated industries, like financial services, the position of the CSO has risen in stature out of necessity. Other sectors, like high tech and government, generally place a high premium on their security executives, but one's mileage may vary based on the organization and the person in the role.
2BSecure's Bigman says it's not just industry sector, but the size of the organization and its focus on research and development that typically affects whether the CSO has pull – or has a role at all. Not surprisingly, he says, companies that have more secure applications and are accomplished at protecting their systems tend to have a more elevated CSO.
Weatherford adds that larger organizations and those hamstrung by stronger regulations have had to advance the farthest and fastest and, therefore, tend to have a more empowered CSO. Within financial services organizations, as well as utilities that operate critical infrastructure, most CSOs and CISOs are not only very astute, they are versed in how to effectively communicate with the CEO and board of directors, he says. “They know how to build a budget that will withstand the scrutiny of the CFO,” he says.
In addition, companies that have sustained a major security breach, or seen one recently happen in their industry, are more likely to place visibility on security, and therefore more responsibility in the hands of the CSO, he adds.
Momentum and metrics
The ground is shifting though, experts say. Between the tide of news surrounding breaches and the continued development of the (still-nascent) profession, the role of the top security officer is gaining attention and momentum. “We do see the breaches shine a light on the CSO or CISO,” says Russo.
According to a May report from IBM's Center for Applied Insights, senior security executives are finding increased interest from CEOs and boards of directors, as corporate security becomes more highlighted. As a result, the study affirms, CISOs are finding more of a voice in the boardroom and gaining more say in an organization's strategy.
Two-thirds of respondents said their senior executives now are paying more attention to security, as compared to two years ago. Also, two-thirds said they expect that information security budgets will grow over the next two years, with 87 percent saying it will likely be a double-digit increase. Too, respondents said that mobility is becoming a key driver of security interest, with more than half of respondents saying it would be a primary technology concern in the coming months.
“This data painted a profile of a new class of CISO who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” David Jarvis, author of the report and a senior consultant at the IBM Center for Applied Insights, said in a prepared statement. “We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”
It's an evolutionary thing, says Weatherford. “CSOs and CISOs are beginning to get more respect, [especially] in sectors where there have been lots of data breaches and security incidents.”
However, while some CSOs agree that the position has evolved in recent years, others say it still has a way to go. There is newfound attention being paid to the role, they say, but to improve the standing of security chiefs in the long term, CSOs and CISOs need to up their own game by cultivating new talent and communicating security risks and requirements in a way that is meaningful to the C-suite. Conveying security to senior management in terms of risk to the organization is critical.
“The CISO needs to explain [the risks] in business language to make people understand the risk of disasters and cyber attacks to show that it's worth spending money,” Bhatt says. That means that they must be able to back up their requests for increased budget with numbers that substantiate the outlay.
Since many organizations still view information security as a costly burden, it's important to show the value of one's people, products and services, says Weatherford. “No company is going to spend six cents to save a nickel. It comes down to communication. You have to be able to defend a budget.”
The IBM study backs up his claim. It finds that forward-thinking CISOs are twice as likely to use metrics to monitor progress. “A few simple metrics go a long way to telling your story,” Weatherford says.
Bhatt also says that even experienced CISOs still need to sharpen their skills by looking to postgraduate programs and certificate courses to both keep their own skills up to date and to also help build depth into the ranks of their own security professionals. Indeed, observers bemoan the dearth of qualified and experienced security information professionals – in part because it's still a relatively new profession.
Weatherford agrees that developing skilled workers is critical. “If I don't have the right security talent, it doesn't matter how much money I have.” He encourages peers not only to identify and cultivate talent within their own organizations, but to support outside programs, competitions and internships – some aimed at high school, as well as collegiate level students – to create a new stream of leaders for the future. “We need to take a longer term view of people and talent issues,” Weatherford says.
Help your cause: Educate and cultivate
Industry experts say that in the long term, security information leaders can help themselves gain a more prominent seat at the executive table through:
Cultivating boardroom skills
Bob Russo, general manager, PCI Security Standards Council: “In the beginning, when you hired a CISO, they generally all came from a technical background and couldn't present the metrics. Now, you're finding a lot of CISOs partnering with risk managers and CFOs to get the message across.”
Michael Frederick, CEO, The Frederick Group: “The players filling the CSO job need to be a boardroom caliber person. Typically, a lot of them come from a technical background.”
Communicating the security message better
Deven Bhatt, CISO, WEX: “The CISO needs to explain dangers in business language to make people understand the risk of disasters and terrorist attacks, and to show that it's worth spending money.”
Educating higher-ups on the importance of risk management
Mark Weatherford, U.S. Department of Homeland Security: “It's my responsibility to craft a program that gets the attention of the top executives, even if my boss doesn't understand the gravity of my job.”
Nils Puhlmann, former CSO, Zynga: “As technology has evolved, it has escalated the complexity of security issues. If organizations want to shore up security, they need to see security as its own area. It cannot be an add-on to technology.”