Breaches help bend ears of execs

Powered by SC Magazine
 

Make your CEO security savvy.

The importance of security is sinking into the minds of executives following the uptick in breaches recently, experts say.

Panelists at the RSA 2012 conference in San Francisco said security pros must be ready to field questions by c-level executives about the state of security.

They also had to effectively explain to their bosses threats and a case for budget, according to Computer Sciences Corp global CISO David McCue.

Accenture security consulting head Bill Phelps said many non-technical executives formerly had little awareness of what cyber threats meant to their organisation.

“The discussion around probability and consequences has changed,” he said.

Ebay CISO Dave Cullinane said other CISOs should improve communication of security threats to their CEO. He said this would help prepare directors to speak with press in the event of an incident.

“We have to quantify the risk posture and have a good discussion around risk tolerance to demonstrate ROI in reducing fraud and the number of incidents,” he said.

Gary McAlum, CSO of US insurance firm USAA, said security pros can talk about breaches and compliance regulations in the board room, but when it comes down to the bottom line, reputation and brand are the drivers.

“We need a continuing process of education,” he said. "Otherwise there are significant consequences.”

Eddie Schwartz, CISO at RSA, whch itself experienced a high-profile breach last year, said discussions with higher-ups need to be more business-oriented so to not baffle executives with a lot of jargon.

While security people understand incident management, crisis management is an entirely different beast, he said. At RSA, a team was put together to gather analytics to show the impact of the breach, and to look at all sides of the situation.

As far as what needs to be done to thwart future attacks, Cullinane said security pros must stop reacting to external attacks and instead need to get in front of the economic model which the cyber criminals use. That is, from observing their patterns of attack, be prepared to know where and how they might try to breach their next target.

Further, security personnel need to change their behavior to develop stronger instincts about what looks “off,”  Phelps said.

“People need to become more attuned to security risks," he said. "We have to change culturally."

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Breaches help bend ears of execs
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1164

Vote