How do organisations move from lagging in their IT security programme to leading? They must put an effective strategy in place, consistently meet that strategy, and have good visibility into the security events in their infrastructure. Looks good on paper, but how do you get there? CISOs say it boils down to executive vision and support.
However, according to responses to this year's CSO/CIO/PwC Global Information Security Survey, security professionals are focused more on technologies and less on integrating security processes throughout the business.
For instance, only 48% report linking security, via organisational structure or policy, to privacy or regulatory compliance. And only 46% employ dedicated security personnel who support internal business departments.
Those are just two examples of the disconnect. Others include not aligning security spend with real-world business risk and not having healthy lines of communication with executive leadership. Part of the problem, security industry experts say, is of IT security's own making.
"Many security professionals do not behave as if they are a critical business function. Instead of discussing business risk, they discuss attack techniques and technologies," said Eric Cowperthwaite, CSO at Providence Health and Services.
That communication problem, says Daniel Kennedy, research director for information security and networking at the research firm TheInfoPro, is largely a by-product of an old story: Organisations promote highly technical personnel to what should really be a business management role.
"They figure, 'That's the person who managed the firewall, therefore let's make them the CISO,'" says Kennedy. "There has to be some consideration that there are people out there who are good communicators, good senior executives, and then there are people for whom that's not in line with their capabilities," he said.
"I speak with other companies all the time, and there are many CISOs with that title, but their real strategy is to make their firewalls run better, so they're always working at a low tactical level," said Providence Health's Cowperthwaite.
That means to move from laggard to leader, more enterprises need to elevate the CSO position from a tactical level to the level of a business risk adviser.
TheInfoPro's Kennedy said that to get there, the first step is to build credibility.
"If management doesn't trust the CISO, then they don't have the right guy. The security leader is someone functioning on the executive level, someone who can speak IT in business terms, and somebody who really effects cultural change in the company," he says.
"That means there should be a difference between the day they started and a year and a half later in terms of the way the company views security. If they're not getting that, you don't have a security leader. What you have is somebody who is sort of just sitting around in the role," says TheInfoPro's Kennedy.
That trust, in combination with executive leadership, will go a long way toward getting the security budget and resources needed to build a solid programme.
But it's not enough. Experienced pros say that the CISO who can build a world-class programme has to first be an expert on the industry they're in and how their organisation functions in that industry. That's why Cowperthwaite advises CISOs to learn the nature of their business.
"If you want to be the CISO of the company, then somebody else can go talk about bits and bytes with your networking equipment provider while you figure out what the company's strategy is and how you fit into it," he says.
"You can do that better by getting to know the business inside out," he says. "If you work in transportation, you have to go out in the road with the drivers. See how everyone works and what they need to get their jobs done. If you're a hospital, watch how staff actually works."
Finally, to be security leaders, enterprises need to start measuring their efforts so that they can improve over time. Pete Lindstrom, research director at Spire Security, said that a good place to start is with operational metrics. Those would include commonly repeated tasks such as user provisioning, account management, and time from vulnerability discovery to remediation. The measurements can also be risk-based, such as vulnerability-management efforts. "The important thing is to start measuring what you can measure, and build the metrics you can track over time," Lindstrom said.
While most organisations still lack a cohesive security strategy and an ability to execute on that strategy, it's clear that it's not beyond their reach to develop those things. Security management needs to be in a position of authority, integrate itself into the business and continuously measure and improve upon its own efforts.