Page 70 - index
P. 70
had poor relationships with CISO’s in the past, and that unfortunately continues to shape their
perceptions today. Very much like the analogy of having a bad meal at a restaurant one time
and not ordering something different from the menu but instead choosing to never go to the
restaurant again. These business leaders see people in the IS profession as technologists, not
equals.
This translates into the number 1 compliant I hear consistently from senior business executives
(COO’s, CEO’s, CFO’s, Presidents): they are stuck dealing with very complex and technical
people. This overwhelming business frustration with CISO’s has resulted in a number of industry
verticals establishing new, separate positions outside of IT / IS often called Chief Risk Officer or
VP of IT Risk where these roles are specifically aligned with the business and their charter is to
understand business requirements. Interestingly enough these roles then bring these business
requirements to the CISO; who now is responsible for only for the operational execution of these
requirements further dividing the chasm between IT / IS and the business. Why is this divide
continuing to grow? Pretty simple answer – CISO’s haven’t been able to convey the following
effectively to business leaders:
• Manage or keep pace with business demand. The business and in some case other
parts of information technology (shadow IT), bypass the security organization to adopt /
create new business solutions only to bring their security colleagues in at the tail end of
the project – prior to go-live and ask them to:
o “Assume the risk” OR
o “Make it secure”
• A vision and focus on business innovation. Hackers can compromise a ton of
information in milliseconds; while at the same time the business has been very
innovative in the use of technology – even “pushing” for what is often categorized as
“bleeding edge” technology. Security organizations have not kept pace with these
changes; in-fact, the business sees security trying to slow these changes down.
• Show how ongoing operational expenditures (OPEX) and investments (CAPEX)
support business activities. The most critical acronym for a security executive to
demonstrate to their business executive counterparts is return on security investment
(ROSI). Demonstrating ROSI is a huge challenge that even top security teams struggle
with quarter after quarter; year after year. This results in CIO’s being incapable of
outlining how their day-to-day activities are adding value to the business OR helping
70 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
