Security has moved from a back-office, technical discipline into the boardroom. So says Cisco’s senior vice president and chief security and trust officer John Stewart.
“There’s a combination of factors happening. Every business is becoming an IT business. We’ve gotten used to using technology but often times we have to remember that without it we don’t work,” Stewart says.
This means companies need to understand the value IT delivers to the business and to understand the associated risks whether these are from fraud, external threats or errors made by well-meaning personnel.
This extends from protecting transactions through to intellectual property.
“The true nature of Internet threat is only 25 years old. It’s a risk area that doesn’t have a lot of empirical data. It doesn’t have actuarial tables for insurance companies yet. It doesn’t have true formulaic structured rules. Even the profession itself – we don’t have definitions that are unilaterally accepted about what job titles do what,” says Stewart.
That means, in Stewart’s view, we are still at a formation stage in the infosec profession. Given the threat landscape and evolving nature of the industry, Stewart says boards cannot delegate the responsibilities and risks associated with cybersecurity. Boards and senior leadership teams must understand the risks, just like any other corporate risk.
“In all my discussions with a large number of corporate boards over the last couple of years, I’ve learned that they do want to know but they need to know it in terminology that is not typically the terminology the security industry uses,” says Stewart.
Stewart recommends security reporting is road-tested with experienced board members before a formal presentation so that communication to board members is presented appropriately. For example, presenting a risk in terms of how fast the value of the company can be impacted by a rogue employee presents the risks in terms boards can more easily digest.
“You talk about effect, not causality,” says Stewart.
If a CISO enters the conversation saying a lack of visibility across the network and, therefore, can protect it they aren’t giving the board actionable information. However, if it’s presented as an inability to determine if financial data is leaving the company because of a lack of visibility then they can better understand the risks.
With continuing pressure on technology budgets it’s critical, in Stewart’s view, to structure budgets and measure corporate performance appropriately. If the technology function within a business controls the security budget – a typical situation – but IT is primarily measured on system performance and availability, rather than management of security risks, then budget pressures may result in cuts being made to security thus increasing the company’s exposure to cybersecurity risks.
As well as his role at Cisco, Stewart is working with the Australian Government on the Cybersafety Centre.
The group has been working for the last few months through a series of working groups. The next step, says Stewart, is face-to-face meeting with information to be presented to government during the first half of 2015.
“One of the things I’m really encouraged by is every nation has to look at their cybersecurity strategy about every three years – I don’t think it last much longer than that. The US has some work to do. New Zealand is doing this right now. The Ukraine is doing it. The Czech Republic is doing it,” he says.
One of the challenges is finding ways to connect the cybersecurity discussion to an economic conversation he added, again focussing on presenting cybersecurity risks in a language that is accessible and actionable by key stakeholders.
Anthony Caruana attended RSA Conference as a guest of Symantec.