The CISOs (Chief Information Security Officers) in Orlando for the March 9th CISO Executive Summit were not as full of doom and gloom as you might expect, but hey, it was at DisneyWorld. The summit, which was ably hosted by Information Security Magazine, was a low key Sunday event providing a suitably relaxed format for the attending CISOs to air their grievances. No world problems were solved, but knowingly or not, a few insights were provided of the challenges and directions CISOs are taking.
The summit began with a roundtable discussion of the strategic mission of CISOs, which included CISOs for Bank of America, Motorola, PepsiCo and the U.S. Postal Service. The mix was interesting as two of the speakers were tenured corporate professionals, one was a newly minted CISO out of the Secret Service and the final roundtable member was a career bureaucrat who took on the CISO role as a short term project. While these CISOs were all highly skilled leaders and astute communicators, one left the roundtable with a sense that the CISO is still a role in search of itself, trying to find its final resting place in the corporate organizational chart and the best way to add value within the company.
Three of the four roundtable members reported to their Chief Information Officer, with one reporting to a CSO (responsible for physical security), who reported to the CEO. While no one on the panel complained about the reporting structure, a later speaker, corporate governance expert Thomas Horton described this configuration as "the fox guarding the henhouse". The pragmatic speakers obviously believe in playing the cards they are dealt - only Motorola CISO Bill Boni hinted at the "opposed interests of the CIO and CISO", and for all speakers the main strategy for completing objectives and reducing CIO/CISO angst was integration with the business units. By working directly with the business units early on to securely solve business problems, the CISOs are finding less objections from IT bureaucracies as well as alternative sources of funding for security projects.
One point that all of the roundtable members got behind was that CISOs need to speak the language of risk management and put a reduced emphasis on technology when communicating with "C" level peers and corporate directors. As Bryan Palma of PepsiCo said "What risks are you comfortable with? Do you want $1 security or $3 or $10?" Jim Golden from the USPS went as far to say that, "Information security is nothing else but risk management." I thought the most insightful comment about this was from Boni of Motorola. While agreeing with the core need of risk management, he added that, "the hardest part is that the business will tolerate more risk than what you want". Boni went further to state that a lot of risk management decisions are made with 20th century management tools and there is a lack of quantitative analysis metrics and data for new and evolving threats. To put it another way, one would obviously spend $100 to mitigate a threat that is a high risk to destroy millions of dollars of assets, but do we see that threat accurately? Our lack of knowledge of new high risk threats that could be cheaply mitigated is stretching the capabilities of traditional risk management. Risk management is the best methodology for informed CISO decision making, and it needs to be more widely adopted within information security practices. However, it is a point well taken that we need better data and metrics to improve risk management's capability for solving information security problems. (The authoritative industry expert that disagrees with a risk management approach to information security is Donn Parker, who favors a due diligence approach. Donn's writings are widely available, you can also refer to his January 2003 interview with CSOinformer.)
In turning the attention to budgets, most saw spending as flat to slightly increasing for 2003, but that world events and an improving economy could change the trend upward. Rhonda MacLean, Senior VP and Director of Corporate Security for Bank of America, said that the bank has just spent $7M on patch management as a result of the impact of SQL Slammer on their network. Boni and Palma both saw their budgets as below the industry average 3-5% of total IT budgets cited by Gartner and Information Security Magazine. Boni was convinced that the real number is somewhere in the 2% range, but admitted that it is difficult to know within Motorola, as the engineers that comprise 70% of the company often solve their own problems. Boni said he is often forced to call security vendors to ask them what Motorola has purchased from them. All CISOs agreed on one metric - their organizations spent more on coffee than on information security in 2002.
There were a few other interesting nuggets that came out of the roundtable: MacLean said that Identity Management was the most overhyped technology for the moment, and the solutions BofA has tried have been woefully inadequate in terms of scalability and functionality. Boni's biggest challenge today is hiring infosec professionals, his ideal employee is "1/3 technologist, 1/3 business analyst and 1/3 lawyer". Golden's biggest issue for 2003 is improving security awareness and communications within the Postal Service. CISOs were unanimous in their concerns over legal issues, both for the known regulations and concern over predicting the potential impact of liability to civil litigation. Horton said the time is right for some CISOs to step up and start a professional association of their kindred to help promote the role of CISO and improve the quality of the job they do. Most attendees seemed to agree that there is a lack of communication between CISOs of different organizations.
It is difficult to put all CISOs in a single category. Some act as the "Rodney Dangerfields" of their organization, either because of the lack of priority their company puts on security, their personal inability to execute a strategy, or for both reasons. Some CISOs have been able to speak the ROI language their fellow executives can understand and have been much more successful. In general, CISOs do not have the big stick they want and are still looking for the trail out of the wilderness. I think this is perfectly reasonable for such a new role. The effective CISOs are wisely using the business objectives of the company as their guide and are slowly building the reputation and autonomy their role needs to be successful.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.