Yahoo! CISO's xmas wish list

The end of the year is a really important time for me and my team. It's one of those rare situations when I feel reflection is forced upon us.

The business starts to slow down for end-of-year finances, IT shuts down for change freezes, security organisations have their end-of-year conferences, holiday parties are held, reviews are conducted and more.

For me, I like to think about what I've done, and not completed, to help me better position myself for the next year.

It's also important to reconnect with the beliefs and core principles by which I operate.

I believe, very deeply, that security is critically important to each and every one of us in our personal and professional lives.

To that point, it's important to do this reflection to make sure we are not off target.

I believe that people are the main hurdle in implementing good security. As we look at the reasons why security fails in organisations, it keeps coming back to people.

The main reason why people don't practice good security is because they don't believe in it or see the value.

As a practitioner, have I done my job to communicate to the entire populous the need to change this?

In a recent survey I conducted in June, more than 30 percent of executives were supportive of security compared to less than 10 percent of managers.

If we believe that changing people is the key to implementing good security, we need to focus on this more. Our inability to do so will result in the same resistance we have always received.

I believe that transparency, openness and data are critical to obtain peoples' understanding and enrollment into security.

We will never explain “why” to people and have them support our cause unless we are transparent, open and using data.

Only 14 percent of respondents believed they had metrics that predict trends and allowed them to respond. 

In addition, none of the respondents sent metrics to all employees. If we don't show our metrics of security to employees, how can we ever expect them to support our implementation of controls?

Also, the constant maturity of our metrics is important to ensure we are focusing on the right things. In industry, key performance indicators (KPI) are seldom used, if ever correct. Driving to this level of maturity is significant to ensure we have a robust data driven approach.

The method in which we implement controls is important to the defence of our environment.

However, it's our ability to implement culture change that is critical. Over 78 percent of respondents said culture change was most important compared to technical controls.

Yet, the data shows that we don't focus on it. Instead we focus on converting a subset of employees and executives, and leaving it at that. If we believe in culture change, we should change our behaviour to meet it.

Getting it done

Somaini has a few requests for security strategies he'd like to see implemented in 2012:

• Establish town halls for some of your largest offices once a year.
• Send a monthly communication to all employees on security trends.
• Establish a risk management methodology supported by key performance indicators.
• Security administrators should get their team to participate in industry discussions and events to drive overall maturity within the enterprise.

See the results of Somaini's S3 survey on internal security management.

Copyright © SC Magazine, Australia