The CIO's Secret Weapon: Stakeholder PressureBy Steve Durbin | Posted 12-09-2013
The CIO's Secret Weapon: Stakeholder Pressure
By Steve Durbin
The roles of the CIO, and Chief Information Security Officer (CISO), have changed considerably over the past decade. Chief amongst these changes are that the security-based demands from company stakeholders have increased substantially as a result of major technological and cyber advancements.
Cyberspace is constantly evolving; its potential and real threats, vulnerabilities, complexity, and interconnectivity are always changing. The threat is asymmetric as activists, cybercriminals and nation-states disproportionately increase traditional information risks. In many organizations, cyber-security opportunities and risks have become a board-level issue, so the CIO, like the CISO, must engage at the boardroom level, where information strategy and risk should sit comfortably with other types of strategy and risk that the board oversees.
Information Security Under Pressure
Highly publicized breaches, and more stringent regulations, have put the spotlight on information security in most organizations around the world.
In a recent report, "Estimating the Cost of Cybercrime and Cyber Espionage," conducted by the Center for Strategic and International Studies (CSIS) and sponsored by McAfee, it is estimated that cybercrime and cyber-spying are costing the U.S. economy $100 billion each year and the global economy perhaps $300 billion annually. Malicious cybercrimes are estimated to cost as many as 508,000 jobs in the U.S. alone. This has put unprecedented pressure on C-level executives to assure stakeholders that sensitive information is secure. And as information security moves up senior management and the board's agenda, pressure will continue to mount. Like CISOs, CIOs must be able to shape the message and relay their successes to the board to sustain high-level support for security initiatives. A recent CEO survey, conducted by PwC in its Annual Global CEO Survey 2013, cited cyber-security as having the third highest possible impact on organizations—even ahead of a natural disaster disrupting a major trading and manufacturing hub or military tensions affecting access to natural resources.
Yet, as found by Carnegie Mellon University in its CyLab survey, "Boards are not focusing on important activities that would help protect the organization from some of its highest risks: the reputational and financial losses flowing from the theft of confidential or proprietary information or security breaches involving the disclosure of personally identifiable information (PII)." While a security breach gets immediate attention from the board and company stakeholders, the infrastructure and systems needed to recover from, and prevent another hit, are still not boardroom fare.
Engaging With the Board
The good news is that with increasing stakeholder pressure comes an opportunity to engage more openly and readily with the business. Publicity surrounding breaches, loss of data and the quantifiable impact on brand value has created an environment the like of which security professionals have never seen before.
Now is the time for CIOs and security leaders to take advantage of what seems to be a relentless focus on cyber-security to engage and demonstrate the true business value that their departments can bring. The successful leaders are steadily engaging with the board, while some are struggling for a number of reasons, such as:
• No established relationship with the board
• The board still struggles to understand the importance of cyber-security
• The information security department has difficulty communicating its cyber-security message to the board.
To keep their organization secure, both CIOs and CISOs need to lead and drive engagement with the board—and start by changing the conversation. They need to translate the complex world of information security and information risk into easily understandable issues and solutions. Like CISOs, all C-level executives must change their way of thinking and the resulting conversation so information risk can be considered with other risks that boards oversee.
The CIO's Secret Weapon: Stakeholder Pressure
Increasingly, I'm seeing leading security chiefs aligning or merging security strategies with business-focused initiatives and projects. This continues to be challenging for those that are working through their IT departments where security is seen as a purely technical issue.
However, the more forward-thinking security leaders are asking five questions of themselves and their boards:
1. How does cyber-security in general and information security specifically support our business priorities, such as attracting and retaining customers, maintaining or growing a competitive advantage, and fostering innovation?
2. If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?
3. How can we validate our understanding of our information risks and how they are managed?
4. Should we as an organization or as a board be changing our approach?
5. Are we prepared for the future?
Engagement is about communicating the value of information security and delivering that value. Ideally, board engagement will be proactive, but it can also be reactive by, for example, responding to a board request for information about an incident.
Board engagement is a journey—and its path will vary. It will be easier, for instance, if you have high-level support, but it will be more difficult if the organization doesn't understand the value of information security. This journey requires careful planning, including identifying whom to influence, to changing the way executives talk about risk and information security, and choosing the right supporters.
Successful executives will be the ones who facilitate continuous engagement. Those who are seen as business enablers, and whose teams deliver successfully, will have a much easier engagement journey.
Better Engagement Equals Greater Benefits
The economic, social and technological landscape is vastly different than it was just a decade ago. CIOs must work with CISOs to safeguard information where increasingly volumes of the organization's sensitive data are outside traditional information security perimeters. Bring your own device and bring your own cloud initiatives present considerable challenges, as does the widespread adoption of social media, and today's executives must embrace these technologies or risk being sidelined by those who do.
Information security is typically not a goal or business objective—all activities should be aimed at enabling delivery of the strategy and benefits to stakeholders. As stakeholders apply mounting pressure, it's imperative that C-level executives continue to understand and deliver on heightened expectations relating to information security governance and information risk management.
When boards and executives engage successfully, organizations are more likely to realize the benefits of their strategic initiatives. Effective engagement enables organizations to take advantage of the opportunities presented by cyberspace and today's information technology while managing the associated security risks.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
You can read his previous CIO Insight article, "Defending Your Company’s Reputation in Cyberspace," by clicking here.