Who's guiding your business' information security program?
In the wake of this month's LinkedIn password breach, rumors began circulating on Twitter that the social network lacked a chief information security officer (CISO), leading many commentators to posit that the company hadn't treated its information security program with sufficient respect. LinkedIn, however, quickly clarified that while it didn't have a CISO--or synonymous chief security officer (CSO)--job title on its org chart, there was indeed a senior-level employee in charge of its information security program.
The security facts of the LinkedIn breach, including how attackers managed to obtain databases with possibly 10 million or more access credentials, as yet remain unanswered. But the "lacks a CISO" criticism of LinkedIn--however misguided--is a reminder that senior executives must keep close track of their organizations' security postures, as well as the risk it poses to the business.
[ LinkedIn isn't the only company on the line for its information security practices. See FTC Sues Wyndham Hotels Over Data Security Failures. ]
Here are 9 techniques for ensuring that CISOs can best help businesses maintain highly effective information security programs:
1. Deploy CISOs In Advance
When it comes to putting a CISO in place, "it's not a silver bullet," said Patricia Titus, VP and CISO of Symantec, speaking by phone. Titus is an authority on the role of the CISO, having served in that position for the past 10 years, including six years at the Transportation Security Administration (which is part of the Department of Homeland Security), and three years at Unisys, before joining Symantec.
"We're not the big flak jacket that stands out in front of the organization and takes the bullet." In other words, to get the most benefits out of a CISO, deploy one in advance of suffering a major breach.
2. Acknowledge How CISOs Reduce Security Costs
The Ponemon Institute's annual "cost of a data breach" report, sponsored by Symantec, this year found for the first time that in the United States, the cost of a data breach had dropped. "Our research has shown that organizations that have a CISO responsible for enterprise-wide data protection can reduce the cost of a data breach by about $80 per compromised record, which is about 35%--and that's a pretty notable stat," said Titus. "The decrease in the cost of a data breach is the U.S. study, so we're still seeing an increase in the rest of the globe."
Why does having a CISO help reduce breach costs, at least in the United States? According to Titus, it has to do with many U.S. businesses and government agencies now having more mature information security programs in place. "Instead of everyone wondering what to do, everyone knows what to do, and it's a repeatable process that's also defendable, if you're audited or have to prove compliance," she said.
3. Allow CISOs To Help Guide New Technology Decisions
Security groups previously gained a reputation for always saying no, but Titus said that as the people staffing CISO jobs have become "more well-rounded individuals" who balance both business and technology acumen, the role has been becoming increasingly proactive. "We're leaning into technology, versus saying no to it," Titus said. "Saying no just isn't going to get you anywhere. The technology is coming, and if you're going to say it's not, well, it's already here," she said, citing the bring-your-own device movement as just one example.
4. Make CEOs Demand Security Posture Details
What's a business' current information security posture? Given the prevalence of data breaches, today's CEO should be able to immediately answer that question. But in many organizations, the CEO hasn't a clue, and for organizations that want to better prevent LinkedIn-style breaches, such an attitude needs to change.
Earlier this year, for example, security vendor CORE Security commissioned a survey (conducted by Research Now) that found a widespread lack of communication between CEOs and the person in charge of their businesses' information security programs. According to the 100 CEOs and 100 security chiefs surveyed, in one-third of companies CEOs never receive updates on their company's security posture from the CISO, while in about one-quarter of businesses, security communications with CEOs happen only on a "somewhat regular" basis.