In-Depth

Tips for CSOs: How to Discuss Security Issues with Executives

Many CSOs still have difficulty communicating security requirements to their more business-oriented peers.

• By Mathew Schwartz
• 03/16/2005

When it comes to securing enterprise networks, about half of CSOs admit to employing a “moat and castle” approach: if an attacker breaks through the outer network defenses, there are few mechanisms in place to further defend corporate information.

Yet about half of those same CSOs also characterize their approach to information security as “proactive.” Being proactive, however, means instead of just cleaning up after attacks, organizations actively comb the network for known vulnerabilities, prioritize risks, and remediate accordingly.

Those results come via security vendors Preventsys and Qualys, which queried CSOs and CISOs at a series of seminars discussing “how to talk about security in a business setting, and not some geeky technological practice no one understands,” says Tom Kuhr, the vice president of marketing for security vendor Preventsys, based in Carlsbad, Calif.

Why the disconnect between perception and reality? “People have a higher opinion of what they’re doing than what the reality is,” he says. “Logistically these guys are [saying] the easiest thing for me to do is wait for an event to happen, then try to shut it down—which is the reactive approach.”

Another finding: 46 percent of CSOs report spending over a third of their day analyzing security software reports. “There’s so much data,” Kehr notes. Rather than just using high-level reports prepared by subordinates, he says most CSOs are getting their hands dirty, assessing weekly network vulnerability scans, results from application scanners, wireless scans, and configuration management tools.

When CSOs aren’t studying data, they’re often relaying results. “We did another, informal questionnaire in the fall and we found that people spent 30 to 60 percent of their time just communicating to their peers or executives. The communication role of the CSO is just so important,” says Kuhr.

Tips for Communicating with Executives

Yet many CSOs still have difficulty communicating security requirements to their more business-oriented peers. As Gartner Group analyst John Pescatore says, “Executives often want to know if attacks will always increase, or if more-secure software and improved security capabilities will relegate cyber-attacks to obscurity.” Of course it’s up to CSOs to set executives’ expectations, and Pescatore notes that yes, “the overall number of attacks will continue to increase, if for no other reason than because the population of the Internet is increasing.” Even so, “it is not useful to speculate on the quantity of attacks, because you have little control over them.”

In other words, CSOs need to re-focus the security discussion on more pertinent issues. For example, while many businesses free emergency resources to deal with any virus or worm outbreak, how might that money be invested in proactive software able to prevent such outbreaks?

Yet many CSOs have been promoted from technical disciplines, and don’t have experience packaging security concepts for a business audience. “A lot of these guys were very technical, and aren’t able to communicate with executives or supposed peers at the executive level,” says Kuhr.

To help overcome that problem, when it comes to senior-level communications, “report your message on a consistent, regular basis,” he says. The message should “explain in business terms why security exists,” and of course why it’s relevant to the individual business. So CSOs should study their company’s business goals for the next year or so, then tie security to one or more business initiatives. “Tell them why security needs to be worked into that project. Make it a business reason: If the project doesn’t have good security, here’s what’s going to go wrong, and here are the costs involved in not only making the project successful, but better than your peers.”

The last point can be especially powerful. “In many of the industries we talk to, especially financial services, being better than their peers is a very important benchmark,” says Kuhr. Gauging competitors’ security investments may be easier than you think. “Surprisingly, the security teams from these competitors talk on a regular basis, whether through back channels or there are some industry groups.”

Finally, Preventsys has one last piece of advice for communicating with executives: “Avoid technical terms at all costs, unless they are printed in USA Today.”

Related Articles:

Security Spending Trends for 2005
http://www.esj.com/Security/article.aspx?EditorialsID=1248

Top Three Security Problems Remain Despite Increased Spending
http://www.esj.com/security/article.aspx?EditorialsID=860