Bridging The Conversation Gap
Pravin Kothari
Accenture and Agiliance’s CISO Roundtable event had some very interesting discussions and presentations. Bob West, CEO of Echelon One and former CISO at Fifth Third Bank led a discussion about how to bridge the conversation gap between CISO and the other CxO. Here are some of the key points presented and discussed:
CISOs typically have their own vocabulary which doesn’t translate well when speaking with other members of the executive team. CISOs talks in terms of protection of assets and data, prevention, confidentiality, integrity and availability. CEOs and CFOs talk about business value and how their investments relate to top and bottom line growth. The result of this language gap is that most CEOs and CFOs do not fully appreciate the work of the security organization and value of security technology investments. Security is almost always viewed as a cost center. Since the value of security is not clearly understood by the board, CISO’s budget is traditionally a small portion of the CIO’s spent.
For CISOs to be effective in their roles, they need to translate security speak into business speak. This means security must be framed into the two things that business understands and measures: performance vs. risk. A similar role for a CISO to model after is that of the General Counsel. Just like the General Council advises the board on legal risks and enable the business to pursue projects with legal coverage, CISO needs to come to the table as business partners and counsel the business on what security risks are acceptable and how that trades off against performance. This means CISOs must be able to measure and present security investments in terms of risk. Emerging IT GRC solutions should be considered to bridge this gap.
All other parts of an organization are measured on their performance, yet CISO and the security organization for the most part still behave as if security is black magic. A question was posed to the CISOs in attendance on how do they decide on:
- What security technology to invest in?
- How to compare competing technology alternatives?
- How much security is required and how much is enough?
The unanimous response was the CISO relied on their technical team’s qualitative justifications. Measurements such as risk are rarely used to quantify the benefit of the security investment. The participants also reluctantly agreed that this lack of quantitative measurement also leads to “fad driven” purchases, where the trendiness of a new technology and the technical team’s enthusiasm for that new technology often have too much contribution in the decision process. Pick any point in time in the last 20 years, there is always a cool new technology of the moment that is the best thing since sliced bread.
Mature security organizations need to have clear metrics to help the executive team understand whether they are performing effectively or not. Business is about the tradeoff between performance and risk, the security profession should be no exception. Any security technology investment either has to reduce risks or improve the performance of the organization. Otherwise, the organization should have no reason to invest in that technology. Once a CISO can quantity what the security team does and how security investments translates into risk reduction or performance improvement, then the CISO’s team is no longer viewed as a simple cost center.
Of course this is not a trivial task and few CISOs have done this successfully. Fortunately one of the CISOs in attendance, an Agiliance customer, has actually been able to achieve this and shared his story with the group. This CISO is from a defense contractor that operates communication infrastructure for multiple branches of the military. This CISO has deployed Agiliance IT GRC technology to measure the risk and compliance (to contract terms) level of their outsource operations. Today he presents regular reports and is in the process of providing real-time risk and compliance dashboards to his clients at the Department of Defense. The contractor is now actively selling this real-time risk and compliance capabilities as a differentiator when they bid on additional military contracts. The real time visibility of risk is of great value to the DoD organizations and have been instrumental in landing large contracts. This is a great case study of how a CISO has successfully articulated and positioned security and GRC technologies as a business enabler that helps to increase revenue performance and reduce revenue risk.
