The importance of security is sinking into the minds of executives following the uptick in breaches recently, experts say.
Panelists at the RSA 2012 conference in San Francisco said security pros must be ready to field questions by c-level executives about the state of security.
They also had to effectively explain to their bosses threats and a case for budget, according to Computer Sciences Corp global CISO David McCue.
Accenture security consulting head Bill Phelps said many non-technical executives formerly had little awareness of what cyber threats meant to their organisation.
“The discussion around probability and consequences has changed,” he said.
Ebay CISO Dave Cullinane said other CISOs should improve communication of security threats to their CEO. He said this would help prepare directors to speak with press in the event of an incident.
“We have to quantify the risk posture and have a good discussion around risk tolerance to demonstrate ROI in reducing fraud and the number of incidents,” he said.
Gary McAlum, CSO of US insurance firm USAA, said security pros can talk about breaches and compliance regulations in the board room, but when it comes down to the bottom line, reputation and brand are the drivers.
“We need a continuing process of education,” he said. "Otherwise there are significant consequences.”
Eddie Schwartz, CISO at RSA, whch itself experienced a high-profile breach last year, said discussions with higher-ups need to be more business-oriented so to not baffle executives with a lot of jargon.
While security people understand incident management, crisis management is an entirely different beast, he said. At RSA, a team was put together to gather analytics to show the impact of the breach, and to look at all sides of the situation.
As far as what needs to be done to thwart future attacks, Cullinane said security pros must stop reacting to external attacks and instead need to get in front of the economic model which the cyber criminals use. That is, from observing their patterns of attack, be prepared to know where and how they might try to breach their next target.
Further, security personnel need to change their behavior to develop stronger instincts about what looks “off,” Phelps said.
“People need to become more attuned to security risks," he said. "We have to change culturally."