When security is built into an organization's risk model it can shift the relationship between the board and information security pros from adversarial to advisory, members of a panel at SC Congress Boston said Thursday.
John Pironti, president of IP Architects, noted that his company “changes the conversation in security right away,” talking about it in terms of risk.
Mark Sutton, vice president and chief information security officer (CISO) at Bain Capital, said he told his board “it's impossible for me to make a risk judgment for the business” without knowing the business risk. “What's our critical data? What are we trying to protect,” he said, explaining that the board must determine its risk comfort level and possibly making trade-offs. “You have to be OK playing in the gray,” he said, urging security pros to build relationships with their boards.
The advantage to being a small company, said Ken Griffin, director of IT operations and services at Harvard Business Publishing, “is we have a good relationship with our board. Risk management is part of our DNA.”
The organization “spent all last year getting a risk level that was appropriate,” said Griffin, explaining that his group considers risk in four areas—operational, brand, compliance and intellectual property—and then offers strategies around all of them. As a result, the tone of the conversations and security's perceived role have shifted. Security “has gone from being the police force to being the police force working with the neighborhood watch,” said Griffin.
Ultimately, security must support the business. “Availability should trump security,” said Pironti. “If I can't keep revenue flowing then security didn't help me.”