- 1. Bridging the CISO-CEO DivideRecommendations from Global 1000
Executives and a Fortune 500 CE0Report based on discussions with
the Security for Business Innovation Council1. Anish Bhimani, Chief
Information Risk Officer, JP Morgan Chase2. Roland Cloutier, Vice
President, Chief Security Officer, EMC Corporation3. Dave
Cullinane, Vice President and Chief Information Security Officer,
eBay4. Professor Paul Dorey, Founder and Director, CSO Confidential
and Former Chief Information Security Officer, BP5. Renee Guttmann,
Vice President, Information Security and Privacy Officer, Time
Warner Inc.6. David Kent, Vice President, Global Risk and Business
Resources, Genzyme7. Dr. Claudia Natanson, Chief Information
Security Officer, Diageo8. Vishal Salvi, Chief Information Security
Officer, HDFC Bank Limited9. Craig Shumard, Chief Information
Security Officer, Cigna Corporation10. Denise Wood, Chief
Information Security Officer, FedExAnd special guest contributor
Michael Capellas, Chief Executive Officer, First Data CorporationAn
industry initiative sponsored by RSA, the Security Division of
EMC
2. The Security for Business Innovation Initiative Business
innovation has reached the top of the agenda at most enterprises,
as the C-suite strives to harness the power of globalization and
technology to create new value and efficiencies. Business
Innovation DefinedEnterprise strategies to enter new markets;
launch new products Yet there is still a missing link. Though
business innovation is powered by information; protecting
information is typically not considered or services; create new
business models; establish new channels strategic; even as
enterprises face mounting regulatory pressures andor partnerships;
or achieve operational transformation. escalating threats. In fact,
information security is often an afterthought, tacked on at the end
of a project or even worse not addressed at all. But without the
right security strategy, business innovation could easily be
stifled or the organization could be put at great risk. At RSA, we
believe that if security teams are true partners in the business
innovation process, they can help their organizations achieve
unprecedented results. The time is ripe for a new approach;
security Table of Contents must graduate from a technical specialty
to a business strategy. WhileIntroduction1 most security teams have
recognized the need to better align security with business, many
still struggle to translate this understanding intoThe Perspective
of a CEO who Gets It3 concrete plans of action. They know where
they need to go, but are State of Affairs: How CEOs View
Information Security4 unsure how to get there. This is why RSA is
working with some of theTop Ten Ways to Make the Case to Your CEO 6
top security leaders in the world to drive an industry conversation
to identify a way forward.How Does the New Economy Change Making
the Case?10Top Ten Ways to Alienate Your CEO 12 RSA has convened a
group of highly successful security executives from Global 1000
enterprises in a variety of industries which we callTop Ten Ways
CEOs Can Put their Organizations at Risk 15 the Security for
Business Innovation Council. We are conducting aConclusion27 series
of in-depth interviews with the Council, publishing their
ideasAppendix: Biographies 22 in a series of reports and sponsoring
independent research that explores this topic. RSA invites you to
join the conversation. Go to www.rsa.com/securityforinnovation/ to
view the reports or access the research. Provide comments on the
reports and contribute your own ideas. Together we can accelerate
this critical industry transformation. 3. Security for Business
InnovationReport SeriesThe Time is Now: MakingInformation Security
Strategic toBusiness InnovationRecommendations from Global
1000ExecutivesIntroductionMastering the Risk/Reward
Equation:Optimizing Information Risks While Will 2010 be the year
that information securityaligning with the highest priorities of
theirMaximiz ing Business Innovation comes of age? There are signs
that information organizations. To do that they must
effectivelyRewards security, previously viewed as a necessary
evilconvince the Chief Executive Officer (CEO) thatRecommendations
from Global 1000 or inconvenient afterthought of corporatesecurity
must be a core component of businessExecutives strategy, is
becoming core to organizational strategy. After all, its the CEO
who owns the success. And this central role is recognized not
business strategy; he/she sets the agenda and Driving Fast and
Forward: Managing only within the ranks of information
securityestablishes the objectives for the entire Information
Security for Strategic but also by senior executives across
globalcorporation. Therefore for information security Advantage in
a Tough Economy organizations. In the recent Global State ofto be
strategic, the CEO must see the linkRecommendations from Global
1000 Information Security 2010 study, 52 percent ofbetween his/her
objectives and the protection Executives C-levels reported that the
increased riskof information assets. environment created by the
economicCharting the Path: Enabling theGiven current economic
conditions, a key focusHyper-Extended Enterprise in the downturn
has elevated the role andof most CEO agendas is the drive towards
cost Face of Unprecedented Risk importance of the security
function. 1reductions and operational efficiencies
toRecommendations from Global 1000 The elevation of information
securitystrengthen the overall balance sheet andExecutives
represents a critical opportunity andprofitability. Corporate
leaders today are responsibility for information securitybeginning
to see encouraging trends towardwww.rsa.com/securityforinnovation
leadership. Now more than ever, security recovery though. The NYSE
Euronext 2010 CEO professionals must demonstrate expertise inReport
indicates that nearly half of CEOs think1 4. the U.S. economy will
have fully recovered byfor taking on this crucial role is that the
Understand that for the CEO, everythingthe end of 2010, with the
global economy security leader must have the confidence of the is
about balance. A CISO has torecovering by the end of 2011. However,
theCEO. demonstrate a sense of balance; the abilityvast majority of
CEOs believe it will be a weak This fifth report in the Security
for Business to weigh risk and return. Then the companyand patchy
recovery, and their intention is to Innovation series explores the
link betweenwill be putting the appropriate resourcescontinue to
run tight ships even as the CEO priorities and information
securityeconomy improves.2 towards security. Its a trade-off
between strategy, examining how a divide between anThe reality is
that there is a strong link organizations CEO and its security
officer can risk and return.between current CEO priorities and
detrimentally impact its risk profile and Michael D.
Capellasinformation security strategy. Many of the ultimate
business success.Chairman & Chief Executive Officermeasures
organizations are adopting to First Data This report takes a very
practical approach. Itmanage cost and efficiency are both
innovative provides ten important techniques for gainingand risky.
Chief among them is accelerated and maintaining the support of the
CEO (andadoption of new technologies and global other C-suite
executives and the Board) for abusiness models. Putting customer
data, strategic information security effort. It thenEvery day CEOs
must assume the role ofintellectual property, or proprietary
corporate analyzes the flip-side; taking a candid look at
risk-takers. This is one component thatinformation into new IT
environments; and potential missteps and mistakes, and offers ten
defines a good CEO. What risks should hesharing information with
more and more third- tips for what not to do when dealing with
yourparties spread out across the globe createstake on behalf of
the company in order to CEO. The last section is intended as food
forrisks. Organizations also face an increasingly grow it? The CISO
must be able to thought for the CEOs themselves; showing howrisky
socio-economic environment, as insider their lack of support for
strategic information contribute to the wider risk discussion
andthreats and external attackers are more security could put their
companies at risk. help the company take the right risks.motivated
and capable of targeting enterpriseinformation assets.The guidance
in this report was derived from Claudia Natanson conversations with
a group of top security Chief Information Security OfficerThe
aggressive business goals and heightened Diageo leaders from the
Global 1000. As a specialrisk environment facing the enterprise
today feature, the report includes contributions fromputs the
information security officer in a crucial a Fortune 500 CEO, who as
the leader of thepostion: making sure the company takes the largest
payment card processing company inright risks in the right ways.
The right the world, is no stranger to risk. The stakes
areinformation security strategy can not only helpOne of the main
things in maintaining high, information security is taking
centermeet cost-savings and efficiency goals in thecredibility with
your CEO is you have to be stage and your performance could mean
thenear-term, but it can also help position the difference between
a future where heavily steeped in reality.company for recovery and
strong business information security takes a leading role or
isDenise Woodperformance in the long term. The prerequisite
relegated to a bit part within the organization. Chief Information
Security OfficerFedEx2 5. The Perspective of a CEO who Gets It
Michael Capellas is a Chief Executive Officer You have to be able
to understand risk analysis as the premise. Thats where you start.
This who gets it. A 30-year veteran of the ITis about risk. The
language of business is about risk. And if you sit in a CISO
position and industry, Michael is a recognized global you cant
meaningfully talk about measures of risk and layers of risk, youre
probably not thought leader in the technology space, with going to
be successful. You can spend all your money having the latest virus
protection put significant expertise in information security. He
has long understood the value of protecting on your PCs and miss
the fact that youve got massive enterprise risk because of
information, not only as a strategic imperative vulnerabilities to
the power infrastructure or legal liabilities of doing business in
certain in corporate environments, but also for the countries.
United States as a nation. Michael has servedMichael D. Capellas on
two separate Presidential Advisory CouncilsChairman & Chief
Executive Officer on National Security.First Data As CEO of First
Data, Michael currently leads a company where information security
is central to the business. As the global technology the New York
Stock Exchange. As CEO of MCI,information security provided
invaluable leader in information commerce, First Data Michael
worked to develop resilientinsight for the group on how to focus
the C- helps businesses, such as merchants and telecommunications
infrastructures thatsuite on the value of information security.
financial institutions, safely and efficiently supported the
federal government, the process customer transactions and
understand This report brings his unique perspective automobile
industry and financial services. He the information related to
those transactions. together with the views of some of the most
also established a focused security practice The company securely
processes transactionssuccessful security executives in the world;
and within MCI to serve the enterprise market. for millions of
merchant locations and offers tangible recommendations for security
thousands of card issuers in 36 countries.Earlier this year,
Michael addressed over 100professionals at this time of
unprecedented security and privacy executives at the RSA
opportunity and challenge. Michael has also had the experience of
leading Conference Executive Security Action Forum companies where
information security was not (ESAF), a gathering that hosts the
largest a core competency, yet he made it a key aspect global
enterprises and government agencies in of the organizational
strategy. For example, as the world. Michaels talk at the event was
the the CEO of Compaq, Michael worked to single most highly rated
session ever at an develop a secure technological infrastructure
ESAF event. His unique perspective as a CEO for numerous
governmental agencies as well as with a deep understanding and
commitment to 3 6. State of Affairs: How CEOs View Information
SecurityConvincing a CEO that information security rated developing
a data protection strategyshould be strategic starts by knowing
wherefor the organization as important or veryhe/she currently
stands. The CEOs view will important.3 However the same survey
showsdepend on the vertical industry, regulatorythat although they
see it as important, CEOsregime and intellectual property does
themay not have a realistic picture of informationcompany have
market, legal or competitivesecurity yet. 77 percent of CEOs
surveyed viewreasons to protect information? It will also the
greatest risk to data as lost/stolen laptopsdepend on third-party
relationships and global or incorrect disposal of storage media.4
This isreach how much and with whom does thein contrast to a recent
SANS Institute report oncompany exchange information?the top cyber
security risks. The study found that attacks on Web applications
and targetedOverall, CEOs tend to think more about phishing attacks
currently carry the greatestinformation security issues today than
they did potential for damage.5in the past simply because most
enterprisestoday rely heavily on IT to support business Not only do
CEOs seem to misunderstand theoperations. And most CEOs use the web
andrisks, they tend to underestimate themmobile communications
themselves in thecompared to other executives. For instance,
thecourse of their daily work and lives. By now,majority of CEOs
surveyed (68 percent) believemany have also had direct or
indirecthackers try to access corporate data rarely, orexperience
with a security incident or identityat most once a week. While
those in othertheft. The awareness level of CEOs has alsoexecutive
positions believe that theirrisen because of increased regulation
companys data is under attack on a daily orgovernment and industry
mandates for dataeven hourly basis (53 percent).6protection and the
high-profile media coverage Of course CEOs cannot be expected to
beof massive data breaches, especially in the information security
experts; thats why theybusiness press. Information security is now
have security officers. It is up to thesquarely on the CEOs radar
screen. information security officer to help the CEOMost CEOs today
will acknowledge how build a realistic understanding of the risks.
Butimportant it is to have an information securitythe CEO can and
should be expected to providestrategy. In a recent survey of CEOs,
87 percent authoritative support for information security.4 7. So
how supportive are CEOs today? There are So it is clear that CEOs
are increasingly awareencouraging signs. One sign is that moreof
information security issues; and they havecompanies are beginning
to addressstarted to establish formalized supportinformation
security governance by putting in structures. At this point its up
to informationplace more formalized enterprise risk
programssecurity officers to better educate CEOs aboutwhich include
information risk management.the real risk picture and build on
theRecent research indicates that 35 percent ofmomentum to position
information security ascompanies surveyed conduct enterprise riska
strategic business endeavor.assessments twice per year; and 33
percentcontinuously prioritize information assetsaccording to their
risk level.7 In addition,Board-level and company-wide enterprise
riskcouncils that incorporate information risks inThere is no
question that the issue of cyber security has become highly
escalated inthe overall risk management effort arethe last two
years. The awareness is coming from several places. Its being
driven byemerging in many industries.the head of audit departments
of large public firms. Its being played out at theAnother positive
sign is the increase in theBoard level. Its risen with the extent
of globalization and the rapid adoption of thefrequency of
reporting to the CEO, other C- internet and technology. And there
have been some pretty well known cases whichlevel executives and
the Board on informationhave hit the press. So there are lots of
reasons that it is top-of-mind now withsecurity. When information
security feeds intovirtually every CEO.ongoing business reporting,
it is moreintegrated with the business strategy and more Michael D.
Capellaslikely to get the right level of funding. In the Chairman
& Chief Executive Officerfinancial sector, which tends to be on
the First Dataleading edge, nearly half of companies nowhave
regular reporting to the CEO oninformation security on a monthly or
quarterlybasis (39 percent); or once or twice per year
(10percent).85 8. Top Ten Ways to Make the Case to Your CEOBeing a
great Chief Information Security Here are ten key techniques to
keep in mind as 2. Establish security champions within theOfficer
requires interpersonal skills. The you strive to convince your CEO
and other CEOs circle of trustCISO cannot just be a technical
person. executive leaders that information security hasTo engage
the CEO, youll need to win overYou have to have the skills to be
able to an important role to play in the businessthose who
influence and interact with him/her relate to people right across
the strategy. Its not a comprehensive plan; but a on a regular
basis the Board and C-levelorganization and have enough business
list of some of the most important things to direct reports. In
some organizations, the consider.Board may be savvier regarding
informationsavvy to communicate to senior people in asecurity than
the CEO. Board members tend toway theyll understand. 1. Earn a
strategic position focus on big picture risk concerns and fiduciary
Michael D. Capellas Dont expect the CEO to just hand you
aresponsibilities, and they bring perspectivesChairman & Chief
Executive Officer strategic position, you have to earn it. from
their broader experience in other First Data Demonstrate that you
have an understanding companies. Impress them with your strategic
of the business and youll build credibility.vision for managing
information risks and they Organizational management skills are
alsowill influence the CEO. Typically it will be theData drives the
quantification of risk and essential. Information security is never
going toC-levels and/or business unit executives whothere is
analysis and logic to be applied. be completely centralized because
it sits across will need to be convinced to fund information
Ideally you should be able to say, Heres the organization; CISOs
need to be able to security initiatives. Be cognizant that they
havewhat could happen a security lapse here work in a matrix
environment and acrossto reconcile their responsibility to protect
organizational lines. Also, recognize that information with their
goals of managingis the cause, here are the operational formality
matters in this job. If youre reporting budgets and reducing costs.
Securing fundingeffects, heres a quantification of what it to the
C-levels or the Board dont just give at the operational level
requires proving thatwould cost us, and heres some alternatives
verbal updates make presentations in a your program makes the best
possible tradeoffsthat we have for preventing it. formalized,
standardized and consistent way. between security and cost. If you
build strongallies with the C-levels, they will represent
youMichael D. Capellas Chairman & Chief Executive Officer 6at
the CEOs table. First Data 9. 3. Make security relevantFor example,
a recent study by the Aberdeen 5. Dispel media hypeKnow the CEOs
strategic agenda and how that Group revealed top performing
companies thatThe CEO, other C-level executives and themaps to
specific business goals then have adopted cloud computing have
reduced ITBoard get much of their information aboutcontribute to
realizing them. For example, if acosts 18 percent and data center
powersecurity risks through the media. AlthoughCEO is focused on
costs, each business area will consumption by 16 percent. The study
also media coverage helps raise awareness ofhave cost-reducing
goals. In marketing, they showed that in order to get the benefits
of information security, it is often a distortedcould be aiming to
reach new markets morecloud computing, top companies realized
theypicture. Leadership can end up focusing on thecost-effectively
by partnering with social had to establish a governance model
aroundwrong things, such as cyber terrorism or laptopnetworking
sites; security could help protectServices Oriented Architectures
and cloud-theft which may not represent the highestthe customer
data collected so that thebased service delivery. Best practices
included a priority risks. The CISOs role is to break anyinvestment
is not jeopardized and customer formal cloud evaluation process for
monitoringmisconceptions, actively educate the CEO, C-trust is
maintained. HR might be looking tocloud applications as well as
formal training for levels and the Board and help them make
moredecrease the costs of on-boarding and off- the cloud
team.9informed risk decisions.boarding contract workers; with
optimized In other words, the report showed that cloudFor example,
every time there is a major newsidentity management, security could
help computing enabled by an information riskstory on information
security, one that youachieve this. In accounting, they may be
management program can achieve measurable know will get their
wheels turning and asking,working on reducing compliance costs;
security and meaningful cost-savings for the company.What ifs?,
provide an email before they evencould help drive down the hours
spent on start asking you these questions. Give a briefmanaging
access to data and on conductingAnother way information risk
management can analysis and relate it to your own companysaudits.
Part of the customer strategy may be toenable cost savings is
through better vendormake service more efficient; security could
help management. Companies are engaging inreduce phone service by
enabling more data toglobal sourcing, business partnerships
andWhether its to a C-level or a Boardbe safely accessible on-line.
It will be anstrategic vendor relationships to bring down member,
talk about alignment to theeducation process to help the CEO and
othercosts. In forming these relationships, companiesexecutives
understand how security is relevant strategies of the company
global must assess and mitigate the risk posed byto their specific
objectives.third parties having access to their data orexpansion
and global collaboration and network. Due diligence efforts can be
how you enable that to happen; how4. Show him (her) the
moneychallenging and costly. A study by theprotecting resources and
trade secrets is aThe business exists to generate a profit and
Information Risk Executive Council (IREC) found competitive
advantage. Talk about being aultimately, this is what the CEO wants
to see. that companies with leading information risk trusted
partner to your customers and howTo gain support for your
information securityprograms can reduce their third-party
riskprogram, be able to calculate how it improvesmanagement budget
by up to 64 percent.10your security program becomes a reason forthe
bottom line by enabling the company to people to do business with
you.make or save money.Roland CloutierVice President, Chief
Security OfficerEMC Corporation 7 10. situation. If information
security is represented Also, detail a framework for evaluating
riskon an Enterprise Risk Management Committee, and making risk
decisions. Conversations aboutthis is also a good vehicle for
effectively risk invariably come down to who has thedisseminating
more accurate information about authority to make what level of
risk decision.your companys risk profile to executiveHaving a
formalized risk assumption model forleaders.information risks
brings clarity andtransparency to the process and delineates6. Make
it real where and with whom risk decisionTo help the CEO and
executive leaders responsibilities lie.understand the risk, make it
real. As much aspossible, quantify the risks. Dont just give 7.
Develop good metricsvague explanations of high, medium or low Good
metrics accurately measure the value ofrisk events. Instead
describe detailed andinformation security investments; and
theyrealistic scenarios for your company, withshow how the security
program manages risksactual numbers for probabilities, impact andto
acceptable levels to meet business goals.financial losses in the
context of your Communicate the trade-offs betweenorganizations
market position, vertical industry investment and risk by using
visual diagramsand regulatory regime. Admittedly, sincethat clearly
depict the effects (benefits vs.information security is still in
its early days,costs) of various investment scenarios. Forcoming up
with numbers is not easy, theres noexample, show how risk decreases
if thehandy actuarial table. But numbers are what information
security program contains certainwill make it real for business
leaders. elements and how it increases if the companyforgoes those
elements for now.Research incidents that have occurred at
otherorganizations but make sure to present that Get data about how
your program compares todata in the context of your company.
Forother similar organizations. Externalexample, estimate how much
it could cost your comparisons and benchmarking establishcompany if
you had a data breach exposing credibility for the security program
and providecard holder data protected under PCI. Orevidence of
commercially reasonableexplain what a Denial-of-Service attack
could practices. To get this data, security officersmean, and how
much money your company need to actively participate in peer groups
andcould lose if your e-commerce site were downforums for
information sharing.for a day. Work in partnership with others
suchas the VP Marketing and General Counsel to8. Set up a clear
organizational structurederive these numbers and when you present
The security organization should have anthem, have the partners
there backing you up. absolutely crystal clear organizational8 11.
structure. Whether its centralized, de- 9. Have a plan10. Know the
person andcentralized, based on lines of business, orBuild and
document the information security speak to the personfunctional,
etc., it must be clearly articulated,strategy including a detailed
road map, clearly For dealing with the CEO and other
C-levels,socialized and institutionalized across thedefined goals
and manageable milestones.its important to get to know as much as
youwhole enterprise. The biggest weakness for Measure and evaluate
your progress andcan about the individual. Learn their
personalsecurity practitioners is organizational communicate this
to the CEO and other styles and preferences and tailor
yourmanagement. In other functional areas, the executive leaders.
Divide the strategy into the communication method accordingly.
Knowpolicies, hierarchies and roles are well-defined technical and
business strategies; these may be what level of detail they expect.
Know howand well-understood by those outside the inextricably
linked, but have two very distinct they make decisions and what
they payfunctional areas. For example, people getaudiences. Line
managers are not going to beattention to. Find someone you trust
who haswhat departments like accounting and finance interested in
the technical aspects of theregular interactions with the CEO (or
otherdo because their function has been strategy, but they will be
interested in theleaders) and ask for advice about the
bestinstitutionalized. This is how it should be forbusiness
aspects. approach. Do a mini tabletop exercise: Wouldsecurity as
well. This will help security developthis work? If I presented this
to the CEO in thisbetter working relationships throughout theway,
how would he react?organization. The CISOs job is about managing
riskUnderstand the rhythm of the way yourIts an amazing process.
Once you and coming up with the best possible wayCEO is
communicated to by other C-levelestablish your value with a
business unit, of doing it given a particular business officers.
Get familiar with how your CEOtheyll tell others that, Security did
this context. In the current climate, the contextis briefed. There
is a tone, a rhythm, areally cool thing, they came up with a is
cost minimization. In another business format expectation.strategy
which took the money I was climate, the context might be
long-termalready spending and got me twice as muchDenise Wood
business flexibility.for it. You should have a conversation
withChief Information Security Officerthem. And then others will
come knockingFedEx Professor Paul Doreyon your door. This is the
kind of thing thatFounder and Director, CSO Confidential; and
Former Chief Information Security Officer, BPcomes up in the CEOs
staff meeting.Dave CullinaneChief Information Security Officerand
Vice President,eBay 9 12. How Does the New Economy Change Making
the Case? Some may balk at the idea of trying tothe security
budget, at the same time, risks are convince the CEO that security
should be more increasing rapidly potentially outpacing strategic
in the middle of the worst economic securitys ability to keep up.
The security team conditions in decades. How can you have a is also
expected to take on more and more strategic security effort if you
cant even get responsibilities as the funding remains basically
funding? But it turns out that most the same. information security
programs are still getting Ultimately the approach to making the
case for funded. In a recent global security survey, 63 strategic
information security doesnt change in percent of respondents say
spending on the current economic conditions. It is still risk-
security function will increase or stay the same based and
business-driven. What changes is the in the next 12 months in spite
of the economic focus on costs. This means looking at what
downturn. Of those facing budget cuts, most must be done rather
than what should be done will be reducing spending by less than ten
and prioritizing based on the risks that are percent or deferring
initiatives by less than six most relevant to the organizations
strategic months.11 imperatives. The security officer needs to But
that doesnt mean the going is easy. In proactively determine what
pieces of the fact, security programs are under intense information
security program could be pressure to perform. Although
mostdeferred, making it completely clear how organizations are not
cutting too deeply into deferrals change the risk picture. Get the
data. There is an enormous amount of relevant data on broad macro
trends and the internal company. Get the data to be able to say,
Here are the three or four things we must do because of enterprise
risk; here are the three or four things that are on the edge that
we will want to implement over time; and here are three or four
things that we can have compensating controls for and handle with a
little more training. Michael D. Capellas Chairman & Chief
Executive Officer First Data10 13. As economic conditions change,
the CEO andthrough the entire program item by item andother leaders
may change their appetite for asking hard questions like, Are we
doing thisrisk. If they decide cost savings trump riskjust because
its been past practice or is it reallyreduction, its the CISOs job
to make sure thatadding value at this point? This demonstratesthey
understand exactly what level of risk they an alignment with the
CEOs efficiency goals.will be accepting as a trade-off, and get
themSelf-funding projects out of productivity gainsto agree to
accept that increase. Ultimately,is another way to build
credibility with the CEOsecurity will always be adequately
fundedand C-suite. If information security can get asbecause
adequate means it matches the levelefficient as possible at basic
operations, it freesof risk that the business deems acceptable.up
monies for new investments for meetingEven if the security
department is not directly increased threat levels. The current
downturnfacing budget cuts, many security teams may present an
excellent opportunity forrecognize that they need to share in
thecleaning up security operations to make themburden of
curtailment. They are scrutinizingmore efficient and scaled for
future growth.their operations and looking for ways toachieve
efficiencies. For example, goingYou know youre doing a good job as
a Having less funding is not necessarily a Understand the reality,
understand theCISO when you can raise your hand and bad thing
because it forces us to getbusiness dynamics and adapt your
strategy.say to your colleagues, I have some budget smarter about
how we use that money. The For example, even if you have approval
forthat I should surrender because you need it most important thing
is to have as muchhiring people, you might choose not tomore, I
think I can keep the risk to an impact on the organization as we
can withbecause the rest of the organization isacceptable level. It
may mean you just gavethe resources that we have. It challenges us
being cautious. This will demonstrate thatyourself a harder job,
but seeing the needs to bring more quality to our operation. you
are trying to be agile. When things getof the business as a whole
is expected of anClaudia Natanson better, you can start hiring
again.executive leader.Chief Information Security Officer Vishal
Salvi Diageo Chief Information Security Officer andProfessor Paul
DoreySenior Vice President, HDFC Bank Founder and Director, CSO
Confidential; andFormer Chief Information Security Officer, BP11
14. Top Ten Ways to Alienate Your CEO Information security is a
relatively new 1. Waste their time 3. Use FUD function in
organizations; for example, the role When you are reporting to the
CEO (andFrequently resorting to messages of fear, of Chief
Information Security Officer (CISO) possibly other C-level
executives or the Board),uncertainty and doubt (FUD) is another
good has only emerged in the last few years.dont waste their time
by talking about details way to annoy the CEO and other C-levels.
Yes, Research indicates that only 44 percent of that dont matter to
them, for example theits important for them to be educated about
companies have established the role of CISO; number of viruses
detected or the number of threat levels, data breaches and
regulations, and thats after a significant jump from lastfirewall
hits. This is your 15 minutes of fame but if your objective is to
scare them into year when only 29 percent of companies had a dont
spend it on minutiae. If youve gainedspending on security, youre
not going to get CISO.12access to the CEO, choose the issues you
put in very far. Dont overuse headlines of cyberfront of him/her
and carefully prioritize aroundthreats and data breaches in your
Given the relative newness of the role, it cansituations when there
is a high impact risk and presentations to the CEO, especially if
you cant be expected that as some information securityyou need the
CEO to make a decision. Show upback it up with real data on how
these media professionals try to establish themselves astoo often
with minor problems and youll just reports specifically relate to
your companys strategic players, they are going to makebe noise.
situation. And dont show slides with photos of mistakes. Along the
way, there may not beprisoners in orange jump suits entitled, Could
many opportunities to make a good impression2. Waste moneythis be
you? on the CEO so its important to know whatMaking unnecessary
investments is a good way not to do.to rile your CEO. Some CISOs
have a gotta The following list provides ten surefire ways to have
it approach to technology and simply go alienate your CEO or other
leaders. If you dodown a list, buying everything every securityI
think the biggest alienation comes from these things, not only will
you potentially blow department should have rather than ensuring
your chance to assume the role of strategicthat every investment
ties back to business risk. scare tactics. From the perspective
that advisor to the organization, you might evenIf this is your
approach, the CEO wont considersecurity is the single and sole item
that I find yourself looking for a new job. This list you a good
steward of the companys money.should worry about. Yes, its
important, it was compiled from Council member Other ways to waste
money include running anneeds to have its place high in the
observations over the years and from our guest inefficient
operation rife with redundancies ororganization, it needs to have
more CEO who has had experience with green CISOsimplementing
excessive security proceduresthat slow everyone down and
reduceawareness, but at the end of the day scare who stumble along
the way to figuring it out.productivity. tactics never win. Data
and logic are alwaysthe more powerful tools.Michael D.
CapellasChairman & Chief Executive OfficerFirst Data12 15. 4.
Talk technical propose a solution, make sure its the right Your
mitigation strategies, yourIf you want to make your CEOs eyes glaze
one. Dont suggest something that doesnt approaches and the way you
bring yourover, talk about how the security team isolated match the
organizational culture, current ideas to the CEO, the way
youmalware samples or selected an encryption business objectives,
or economic climate, or isthe wrong scaled approach like
communicate, have to reflect the CEOsalgorithm and key size. Many
CISOs havetechnical backgrounds and specialized recommending a
massive application re-writevision for the company. It has to be in
thatexpertise, which can be a double-edged sword. just when the
company is laying off developers.context. Otherwise youre going to
be outYou might know the intricacies of cyber attacks It has to be
reasonable and actionable.of bounds with your solution.and
defensive technologies, but fall down7. Expect special
treatmentDavid Kentwhen it comes to communicating risks in a
wayWant to get on your CEOs nerves? Portray Vice President, Global
Risk and Businessthe business understands. Some CISOs have
aResources, Genzymetendency to speak only in technical terms
thatsecurity as more important than otherare inappropriate for
business audiences. functions and therefore deserving of
extraSecurity is a business issue, discuss it as one.attention. Or
think that security shouldautomatically be exempt when budget cuts
are5. Say I told you sobeing implemented across the whole
company.Dont discuss things in the old FUDWant a fast track to the
exit? When an incident Some information security professionals
believe manner fear, uncertainty and doubt. Ifoccurs, go to the
CEOs office screaming, I told if risks are increasing, so should
their budget. you walk into a meeting waving the latestyou this
would happen! It may be true that But its not necessarily a direct
line from morerisk to more spending. Consider the fact thatarticle
of some huge breach saying, Look,you tried and failed to convince
the CEOand/or others about a potential risk. But if an the business
units may face increasing this is going to happen to us!
theirincident does occur, you have to accept somecompetitive
threats, but that doesnt mean response will be, Yeah, give me a
break, weresponsibility for the security failure. A better their
budgets automatically increase in order to see that every day! And
arent you supposedattitude is, There was a decision to accept
thefend off competitors. to be doing something to make sure
thatrisk, unfortunately an incident occurred, lets8. Operate in a
vacuum doesnt happen to us?solve the problem.A good way to become
completely irrelevant isCraig Shumard6. Bring up a problem but have
no solutionto have goals that are not aligned with those Chief
Information Security Officer (or the wrong solution)of leadership
and the rest of the organization.Cigna CorporationDont raise a
problem with the CEO if you For example, continuing to focus on
fortifyingdont have some possible ideas for solving it.network
perimeter protection while all theCome to the table with
alternatives and business units are busy trying to save costs
bysolutions not problems. When you do moving data processing to
service providers. 13 16. 9. Create frustrating policiesOkay, this
is how security can help make this A really easy way to annoy the
CEO andhappen. Another report in the series, everyone else is to
issue frustrating policies. Mastering the Risk/Reward Equation:
Like decree that no one can have access to theOptimizing
Information Risks to Maximize enterprise network except
employees;Business provides practical advice on how to meanwhile
the business depends on partner find the right balance between risk
and access to be competitive. Or have a blanket reward. policy that
no one is allowed network access from home; yet employees need
flexible work hours. Or declare that no one can have a cell phone
with a camera in it, when it is nearly If an incident happens, dont
take the impossible to buy a cell phone without a camera and
everybody will have to check their position of, I told you and you
didnt listen cell phones at the security desk. Policies that to me.
It just means you were not able to are well-intended can sometimes
be completely sell the solution and hence you allowed that
impractical. You have to be realistic. risk to be accepted. You
need to be more 10. Say noaccountable for that, because its your
job This has been a strong, recurring theme in theto make sure
people listen to you. Security for Business Innovation report
series.Vishal Salvi Previously, information security officers have
Chief Information Security Officer often been seen as the ones who
say, No, you and Senior Vice President, HDFC Bank cant do that. But
if you want to be a strategic player, you cant say no. Instead
consider how you can help the business reach their objectives
safely. CEOs dont want to hear about projects. One of the previous
reports in the series They want to hear about transformational
entitled, The Time is Now: Making programs how are you going to get
the Information Security Strategic to Business Innovation builds on
this premise and offers a organization to where it needs to be? And
complete set of recommendations for how towhat are the metrics
youll use so you know move from being the naysayer to saying, youre
making improvements? Thats what they care about.Denise WoodChief
Information Security OfficerFedEx14 17. Ten Ways CEOs Can Put their
Organizations at Risk The previous sections covered what the CISO
(e.g. fraudulent ACH transfers), transferring example, the CEO may
believe the information should and shouldnt do in order to
convincemoney right out the door. CEOs and othersecurity problem is
solved because the CISO the CEO that security must be more
strategicleaders ignore risks to information at theirencrypted all
of the laptops. Not seeing the for the benefit of the organization.
But thecompanys peril.bigger picture leaves the company exposed to
CEO also has some skin in this game. The CEOall kinds of other
risks. needs to understand how his/her actions and 2. Set the wrong
tone at the top attitudes will impact the effort to protect The CEO
can put the organization at risk by 5. Think of it as just a
compliance issue information at the company. To that end, this
creating a culture of apathy when it comes to Regulations that call
for data protection from list looks at some of the top ways that
the protecting information. If the leaders dontSarbanes Oxley to
the many state, national and CEO, other C-levels and the Board can
put the consider it important, the rest of theinternational privacy
laws have certainly company at risk when it comes to
informationorganization wont either. Leadership needs tohelped CEOs
and other leaders become aware security. set the right tone at the
top. This means of information security. However if the C-level
actively communicating the importance ofapproaches it as just a
compliance issue, they 1. Ignore risks to informationinformation
security, being visibly supportive of will not be addressing the
most pressing risks. For whatever reason, the CEO and otherthe
security mission, and establishing it as aOften a compliance focus
causes a check list leaders may not consider risks to information
responsibility of everyone in the organization. mentality, whereby
its all about minimally all that relevant and may not spend much
time meeting requirements rather than examining thinking about
them. After all, there are plenty3. Get swept up in the media hype
risks. Compliance is definitely an important of other risks to
worry about; such asAs previously mentioned in this report, media
driver for information risk management, but it competitive threats
and financial risks. Buthype about cyber threats can steer the
CEOis not the end goal. given the current socio-economic conditions
and other executives in the wrong direction. If and the business
climate, protectingthey get caught up in all of the hype, they will
information has become a strategic imperative not be focused on the
risks that are most that warrants executive attention.relevant to
their organization, but rather on An important part of the CEOs
role is to the risks that make the best headlines. ensure there is
a sustainable baseline with An information breach could cause loss
of intellectual property, a major hit to the 4. Think of it as just
a technology problem on-going objectives. This cannot be a one-
companys brand, lawsuits and regulatory Since information security
often sits within the time, one-shot deal. It needs to be a issues.
But the stakes are getting even higher. sustainable, continual
evaluation and information technology department, it Companies are
increasingly suffering direct continues to be seen by many as a
technical assessment. financial losses as targeted attacks and
tailored specialty. But its not just a technology malware now
orchestrate illicit transactions Michael D. Capellas problem; its a
risk management problem. ForChairman & Chief Executive
OfficerFirst Data 15 18. 6. Dont set up a governance structure8.
Dont recognize you own the risk 10. Live in a bubble With no
governance structure, the securityIts the CEO, C-levels and the
Board whoThe nature of our Western, post-industrial program will
not have the power or the meansultimately own the risk, not the
informationsociety is to put the princes of commerce to adequately
manage the risks across the security officer. The CISOs job is to
help the into a different level of interaction in many
organization; nor will the effort be sustainable. risk owners make
the best risk decisions. If theorganizations. If the CEO and other
leaders are Ideally information risk management should be business
leaders dont recognize they own the insulated from the grim
realities at the front built into an overall enterprise risk
program risk, they wont adequately consider the riskslines of the
organization, they may put the and an Enterprise Risk Committee a
cross- nor consciously determine the companys riskorganization at
risk. Senior executives need to organizational and cross-functional
teamappetite. be prepared to know the true risk picture and
consisting of the most senior executives the actual capabilities of
their companys should be set up. A governance structure9. Dont
enforce the security policysafeguards and protections. should
ensure risk decisions are based on a The CEO, C-levels and the
Board not only own well-understood and defined methodology,the
risk; ultimately they own the information which is
well-communicated throughout the security policy. They should know,
approve and organization. ensure enforcement of the policy. One way
If the right governance structure is in that CEOs undermine
security policy is by place, the CEO and Board dont have to 7.
Assign information security too low in flaunting it themselves;
such as getting thethe organization pay undue attention to
security, as long as security controls taken off their computer If
information security does not have the right because they are too
much of an the committees responsible the Board level of authority,
it will not be taken seriously. inconvenience. The CEO needs to
lead by committee and/or executive committee This role cannot be
relegated to a database example. Lack of leadership support for the
and the CISO are doing their jobs. administrator who does security
part-time. An security policy means the information securityVishal
Salvi actual security leader needs to be appointedprogram cannot be
effective and puts theChief Information Security Officer and such
as a CISO or equivalent. Something asorganization at risk. Senior
Vice President, HDFC Bank crucial to the business as protecting its
brand, reputation and information assets should not be low on the
totem pole. The CISO should report at least to the C-level and be
on the Its prioritization and tone-setting. If its Enterprise Risk
Committee or well-represented important to the CEO, its important
to on that committee. the company. If he or she makes it a
priority, then it becomes part of the DNA of the
organization.Roland CloutierVice President, Chief Security
OfficerEMC Corporation16 19. Conclusion In the past it may have
seemed like an uphill climb just to get the executive leadership
and business teams to recognize the importance of information
security, but increasingly this is a given. This is a testament to
the hard work that information security leaders have been doing.
Now the campaign must shift from creating awareness of the need to
actually implementing a strategic approach to information security.
The CEO is your most important ally in this endeavor. He/she needs
to lay the foundation on which you will build across the entire
organization. It is absolutely key that you earn the confidence of
the CEO; he/she must trust that you know what youre doing and have
the companys best interests in mind. The benefits are clear. As
enterprises navigate through a long and spotty economic recovery, a
strategic, risk-based approach to information security will
optimize risk-taking and maximize the rewards of business
innovation.17 20. Appendix: BiographiesGuest Contributor Security
for Business Innovation Council MembersMichael CapellasAnish
Bhimani, CISSP,Roland Cloutier Dave Cullinane, CPP, CISSPChairman
& Chief Executive OfficerChief Information Risk Officer Vice
President, Chief Information Security OfficerFirst Data
CorporationJPMorgan Chase Chief Security Officer, and Vice
President, EMC Corporation eBayA 30-year veteran of the IT
industry, Anish has global responsibility forRoland has functional
and Dave has more than 30 years ofMichael became First Datas
ensuring the security and resiliency operational responsibility
forsecurity experience. Prior to joiningChairman and CEO in 2007.
of JPMorgan Chases IT EMCs information, risk, crisis eBay, Dave was
the CISO forPreviously, Michael was CEO ofinfrastructure and
supports themanagement and investigativeWashington Mutual and
heldCompaq Computer Corporation and firms Corporate Risk Management
security operations worldwide.leadership positions in security
atPresident of HP; and President andprogram. Previously, he held
seniorPreviously, he held executive nCipher, Sun Life and
DigitalCEO of MCI, where he oversaw theroles at Booz Allen Hamilton
and positions with several consulting Equipment
Corporation.successful rebuilding of theGlobal Integrity
Corporation and and managed security services firms,company.
Michael began his career Predictive Systems. Anish wasspecializing
in critical infrastructure Dave is involved with many industrywith
Schlumberger Limited and has selected Information Security
protection. He is experienced in lawassociations including as
currentalso held senior management Executive of the Year for 2008
by enforcement, having served in the Past International President
of ISSA.positions at Oracle and SAP the Executive Alliance and
named toGulf War and working with the He has numerous awards
includingAmericas. Michael serves on the Bank Technology News Top
DoD. Roland is a member of theSC Magazines Global Award as CSOboard
of directors of Cisco Systems Innovators of 2008 list. He High Tech
Crime Investigationsof the Year for 2005 and CSOand holds a
bachelors degree fromauthored Internet Security forAssociation, the
State Department Magazines 2006 Compass Award asKent State
University.Business and is a graduate of Partnership for Criticala
Visionary Leader of the SecurityBrown and
Carnegie-MellonInfrastructure Security and the FBIs
Profession.Universities.Infraguard Program. 18 21. Security for
Business Innovation Council MembersProfessor Paul Dorey Renee
Guttmann David Kent Dr. Claudia NatansonFounder and Director, CSO
Confidential Vice President, Information Security Vice President,
Global RiskChief Information Security Officer,and Former Chief
Information Security Officer, & Privacy Officer, and Business
Resources,DiageoBP Time Warner Inc. GenzymePaul is engaged in
consultancy,Renee is responsible for David is responsible for the
designClaudia sets the strategy, policy andtraining and research to
helpestablishing an information risk-and management of
Genzymesprocesses for information securityvendors, end-user
companies andmanagement program thatbusiness-aligned global
security across Diageos global andgovernments in developing
theiradvances Time Warners businessprogram, which provides
Physical,divergent markets. Previously, shesecurity strategies.
Before founding strategies for data protection. SheInformation, IT
and Product Security was Head of Secure Business ServiceCSO
Confidential, Paul was has been an information security along with
Business Continuity and at British Telecom, where sheresponsible
for IT Security andpractitioner since 1996. Previously, Crisis
Management. Previously, hefounded the UKs first
commercialInformation and Recordsshe led the Information Security
was with Bolt Beranek andglobally accredited ComputerManagement at
BP. Previously, he Team at Time Inc., was a securityNewman Inc.
David has 25 years ofEmergency Response Team. Claudiaran security
and risk management analyst for Gartner and worked inexperience
aligning security withis Chair of the Corporate Executiveat Morgan
Grenfell and Barclaysinformation security at Capital Onebusiness
goals. He received CSOProgramme of the World Forum ofBank. Paul was
a founder of theand Glaxo Wellcome. ReneeMagazines 2006 Compass
AwardIncident Response and SecurityJericho Forum, is Chairman of
thereceived the 2008 Compass Awardfor visionary leadership in
theTeams. She holds an MSc. inInstitute of Information Securityfrom
CSO Magazine and in 2007Security Field. David holds aComputer
Science and a Ph.D. inProfessionals and a Visiting was named a
Woman ofMasters degree in ManagementComputers and
Education.Professor at Royal HollowayInfluence by the Executiveand
a Bachelor of Science inCollege, University of London. Womens
Forum. Criminal Justice. 19 22. Security for Business Innovation
Council Members Vishal Salvi, CISMCraig Shumard Denise Wood Chief
Information Security OfficerChief Information Security Officer,
Chief Information Security Officer and Senior Vice President,Cigna
Corporation and Corporate Vice President, HDFC Bank FedEx
Corporation Vishal is responsible for driving the Craig is
responsible for corporate- Denise is responsible for security
Information Security strategy and wide information protection atand
business continuity strategies, its implementation across
HDFCCIGNA. He received the 2005 processes and technologies that
Bank and its subsidiaries. Prior to Information Security Executive
of secure FedEx as a trusted business HDFC he headed Global the
Year Tri-State Award and underpartner. Since joining in 1984 she
Operational Information Securityhis leadership CIGNA was ranked has
held several Information for Standard Chartered Bank (SCB) first in
IT Security in the 2006Technology officer positions where he also
worked in IT ServiceInformation Week 500. A supporting key
corporate initiatives, Delivery, Governance & Risk recognized
thought leader, he has including development of Management.
Previously, Vishalbeen featured in The Wall Streetfedex.com; and
was the first Chief worked at Crompton Greaves, Journal and
InformationWeek.Information Officer for FedEx Asia Development
Credit Bank and Previously, Craig held many Pacific in 1995. Prior
to FedEx, Global Trust Bank. He holds a positions at CIGNA
includingDenise worked for Bell South, AT&T Bachelors of
Engineering degree inAssistant VP of International and U.S. West.
Denise was a Computers and a Masters inSystems and Year 2000 Audit
recipient of Computerworlds Business Administration in
FinanceDirector. He is a graduate of Premier 100 IT Leaders for
2007 from NMIMS University.Bethany College.award.20 23.
References1. Global State of Information Security 2010, Price
Waterhouse Coopers2. NYSE Euronext 2010 CEO Report3. Business Case
for Data Protection, Study of CEOs and other C-levels, Ponemon
Institute4. Business Case for Data Protection, Study of CEOs and
other C-levels, Ponemon Institute5. Top Cyber Security Risks
September 2009, SANS Institute6. Business Case for Data Protection,
Study of CEOs and other C-levels, Ponemon Institute7. Global State
of Information Security 2010, Price Waterhouse Coopers8. Global
Security Survey 2009, Deloitte Touche Tomatsu9. Business Adoption
of Cloud Computing, Aberdeen Group10. Manage the Costs and Risks of
Third-Party Assessments, Information Risk Executive Council11.
Global State of Information Security Survey 2010, Price Waterhouse
Coopers12. Global State of Information Security 2010, Price
Waterhouse Coopers21 24. RSA Security Inc. RSA Security Ireland
Limited www.rsa.com2009 RSA Security Inc. All Rights Reserved.RSA,
RSA Security and the RSA logo are either registered trademarks or
trademarks of RSA Security Inc.in the United States and/or other
countries. EMC is a registered trademark of EMC Corporation. All
otherproducts and services mentioned are trademarks of their
respective companies.CISO RPT 1209