BANGALORE, INDIA: RSA, the security division of EMC, released a new research report that explores the link between CEO priorities and information security strategy examining how a divide between an organization’s CEO and its security officer can detrimentally impact its risk profile and ultimate business success.
As the fifth report in RSA’s Security for Business Innovation series, Bridging the CISO-CEO Divide takes an in-depth look at what it takes to garner CEO support for a strategic information security effort.
Art Coviello, executive vice president, EMC Corporation and president, RSA, the security division of EMC, said: “The importance of aligning security investments with the corporate agenda is now well understood. Yet in spite of this progress, most security leaders are still struggling to convince their CEOs that security absolutely must be a core component of their business strategy. It’s time to get this issue solved, and success will require both CEOs and CISOs to shift how they think, act and run their organizations.”
Key recommendations to help security professionals gain CEO support include:
Establish security champions within the CEO’s circle of trust: Win over those who influence or interact with the CEO on a regular basis (the Board and C-level direct reports).
Set up a clear organizational structure: The security organization should have an absolutely crystal clear organizational structure. It must be clearly articulated, socialized and institutionalized across the whole enterprise so people “get” what security does just like they “get” what other more entrenched departments, like accounting and finance, do.
Make it real: To help the CEO understand the risk, make it real. As much as possible, CISOs should quantify the risks. Don’t just give vague explanations; instead describe realistic scenarios with actual numbers for probabilities, impact and financial losses. Address these within the context of the organization’s market position, vertical industry and regulatory regime.
Setting the wrong tone at the top: If organizational leaders create a culture of apathy towards protecting information, the organization will do the same. The CEO can set the right tone by actively communicating the strategic importance of this responsibility and establishing shared accountability for the protection of information throughout the organization.
Thinking about information security as just a technology or a compliance problem: Information security needs to be viewed as a risk management problem. When the CEO doesn’t see the bigger-picture context surrounding security decisions, their company is inevitably exposed to all kinds of other risks.
Failing to set up proper organizational responsibility: If information security ownership is not established at the appropriate level of seniority within a company, it will not be seen as serious. A role that directly impacts a company’s brand, reputation and information assets should have a security leader appointed to it such as a CISO or equivalent.
CISOs and CEOs can measure their progress in strategically aligning security and business via a private ten question interactive tool.