- Recent surveys show that CxOs lack appreciation for CISOs
- It is up to us as InfoSec professionals to show the importance and value of integrating security with the business
Security is a cost…heard that one before? This is the primary goal of this blog, to change this mindset to ‘Security is an investment‘.
It is hard to show how security has saved an organisation’s bacon, after all, if nothing happens, everything must be fine…right?
Let’s put this into perspective:
- Traditionally, businesses depend on IT solely for day to day inhouse functions. Now, it is required for new/modern functions such as: business intelligence/strategy, R & D/innovation, data warehousing, marketing, etc. This changes IT dependencies within a business from ‘just a tool’ to core business functions, entire departments are created through information technology.
- Information is a valuable commodity, just ask the NSA or a competitor.
- Freedom and accessibility to information is easily accessible to all, anywhere at any time. This increases both perceived and actual anonymity and educational standards in everyone.
- As long as an organisation is valuable, there will always be malicious financially motivated threats: espionage, extortion, etc.
- Information security is about maintaining the CIA: Confidentiality, Integrity and Availability of information.
- As an adversary, carrying out a threat and disrupting the CIA by obtaining or destroying something of value has never been easier.
C-level executives need understand that the above points outline the current situation on information security.
Now for the evidence showing otherwise:
A recent survey show that CxOs have a lack of appreciation for CISOs.
One piece stands out, quote:
More than half of the C-suite executives in the survey said that CISOs provide valuable guidance on cybersecurity matters. However, they also felt that their CISOs did not possess enough broad awareness of organizational objectives or business needs to deserve a place at the leadership table.
This just re-iterates the importance of getting security functions aligned with the business.
Adding to this is the fact that C level executives are not aware/don’t believe that cyber security is a priority. The Homeland security in the US thinks otherwise: C level execs need to know that Information Security is a business issue.
Just as we are good technically, we also need to be able to be proficient on a management level (or get a CISO that is!). By being creative, providing ways to show that information security can provide a return on investment for the business is key to help change this mindset.