Regulatory compliance requirements and concerns over data compromises have elevated the importance of information security issues in corporate boardrooms, according to panelists at the 32nd annual conference organized by the Computer Security Institute. And that trend is lending urgency to the need for security managers to adopt a more business-oriented approach to their jobs.
Selling security to management has become easier because of issues such as privacy threats and data piracy, said Terri Curran, director of information security at Framingham, Mass.-based Bose Corp. “In a sense, the road has been paved more for us” by such issues, she said. “Management knows they’ve got to have security.”
The problem is that security managers often tend to understand technology issues better than they understand risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.
As a result, there often is a misalignment with business goals, he said. “Perfect security is not achievable,” Jones said. “At the end of the day, [the security function] is about managing the frequency and magnitude of loss.”
Being able to do that requires security managers to do a better job of taking technology issues and putting them in a business context, he said. “That’s a significant problem for us,” he said. “As long as we have a misalignment between the two, we have a challenge.”
Increasingly, the goal isn’t about information security but about information assurance, which deals with issues such as data availability and integrity, said Jane Scott-Norris, CISO at the U.S. State Department.
That means organizations should focus not only on risk avoidance but also on risk management, she said. “You have to be able to evaluate risks and articulate them in business terms,” Scott-Norris said.
To be successful, CISOs need to have a combination of technology skills and business savvy, said Bill Hancock, vice-president of global security solutions at Savvis Communications Inc. in St. Louis. “If you don’t know how to communicate well, you will fail as a CISO,” he said.