Selling Security

By Rakesh Shah | 2 May 2014

The threats facing network operators all over the world, spanning service providers, enterprises, cloud and hosting providers and mobile operators alike, are by no means stalling. While optimism is always the name of the game, we know all too well in security that keeping pace with the slew of attack vectors out there today is an unfortunate reality. As Arbor’s 9th annual Worldwide Infrastructure Security Report reveals the magnitude of attacks is on the upswing once again and coupled with increasingly complex, multi-vector style attacks, the threat is all too real.

Winning the battle against those threats depends on many factors: the expertise of the security organisation; response plans and resources; and the ability to put those plans into action. Increasingly, part of the challenge for Chief Information Security Officers (CISOs) is in getting the right support from their senior management. That’s not necessarily a new hurdle for CISOs to overcome. Management buy-in has always been vital for dealing with IT security threats, especially in financial sector organisations. But with threats becoming more complex, the priority for CISOs is ensuring that they have sufficient resources to deal effectively with those issues.

Executive and board-level awareness of these threats is already pronounced: recent research found that senior executives and risk managers within American and Canadian enterprises today are more concerned about losing money through cyber threats than they are through property damage or investments or securities failing.¹ This growing board-level awareness as to the severity of IT-based attacks means CISOs have an opportunity to champion their own role as risk managers and defenders of the business. By showing leadership and engaging proactively with other heads of department, CISOs can show how their expertise adds a ‘return on prevention’ value to the business.

However, when it comes to getting their voices heard, many CISOs face an uphill struggle from day one – everything from IT being seen as ‘just’ the cost of doing business and not an asset, to board members with vastly different priorities (i.e., those who would rather wait for their house to be on fire to call the fire department versus taking pre-emptive action upfront).  If CISOs are to deliver an understandable call to action and gain the credibility to push their strategic plans, they need to deploy a range of tactics to make their voices heard including:

  • Discussing security risks in a way that resonates with management: Expecting the management or executive team or board to learn the information security professional’s vocabulary can be unrealistic. Instead, the CISO must communicate threats in a way that the leadership team understands. This language barrier doesn’t need to be a hindrance though; approached in the right way; it can actually be an excellent way for CISOs to showcase how their role fits within the overall corporate risk management strategy.
  • Translating prevented costs to realised goals: The substantial increase in botnet code modification and botnet node recruitment may be crucial in the understanding of how attacks are developing, but bring these terms up in a conversation with a CFO and you’re likely to see their eyes glaze over faster than you can say Distributed Denial of Service (DDoS). The primary message a CISO needs to get across is the threat that attacks of any kind pose in terms of lost revenue, reduced productivity and damage to the business brand.
  • Anchoring the threat in their own organisation: Engage with the CFO and COO to obtain financial figures relating to the cost of your operations and the amount of money generated through online services and a workforce reliant on a fully functioning IT network. Armed with these figures, CISOs can offer a realistic estimate of the negative financial impact of a level-one cyber-attack where key IT services might be adversely affected. In an age where financial institutions have built strong revenue streams and enhanced customer loyalty through online and mobile services, it also provides an opportunity for CISOs to demonstrate the crucial role they can play in preserving business operations.

These days, no enterprise risk assessment and business plan is complete without taking into account the operational risk represented by cyber security attacks intended to have a negative effect on the availability of key online services. Enterprises can no longer afford to see their CISOs confined to the dark recesses of the IT department because as DDoS attacks and other cyber threats have become increasingly high-tech and more complex, enterprises need a technologist with a seat at the table.

But with greater responsibility comes the challenge of gaining and maintaining credibil­ity within the C-suite. And it is only by conveying this threat in a language the business understands—by demonstrating the potential outcomes using examples familiar to other business heads—that the CISOs will be able to get the buy-in they need to do their job properly. This is the challenge and the opportunity—the opportunity for the CISOs to get the recognition they deserve and the backing to deal with the ever-growing threat faced by organisations today.

 

By Rakesh Shah, Senior Director of Product Marketing & Strategy at Arbor Networks


¹ Execs Say Cyber-Attacks a Top Threat: AIG Survey—CNBC News—6 February 2013

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development