CISO challenges and security ROI
by Mirko Zorz - Editor in Chief - Monday, 7 April 2014.
Mark Brown is the Director of Information Security at EY. In this interview he offers guidance for CISOs, discusses the technical competence of company leaders, tackles security ROI, and more.

What risk areas should CISOs focus on today so that they are prepared for what the threat landscape will deliver tomorrow?

Wherever possible the CISO should move away from the technical detail towards a more core understanding of business management within the organization they are employed. Whilst the vector of threat will remain predominantly IT focussed and technical in nature, risk management is conducted at an enterprise level and operates beyond the confines of IT risk. The downstream impacts of security are felt across the entire business and therefore demonstrating this broader business knowledge to the C-Suite will create a deeper sense of understanding of the true role and relevance of security.

It's been said time and again that security is moving from the IT department to the boardroom. Based on your experience, how security savvy are today's company leaders in general

For many UK based CISOs, the recent UK Government initiatives have been a welcome boost to elevating the security agenda from the IT department to the boardroom, however this brings issues to the security professional that they have not previously encountered. For many years Information Security professionals have sought to gain C-Suite attention - the question is now can they handle the attention they are receiving and respond in a manner which appeases an increasingly savvy executive and non-executive management community?

The fabric of the boardroom and audit committee is changing, with companies bringing younger more progressive-thinking personnel to the decision making table. These new leaders recognize that security is necessary to business risk management, but are questioning in their attitudes and will not tolerate a response solely based on policy driven compliance developed in response to outdated theoretical exercises. There is little doubt that there has been an increase in awareness and understanding by business leadership around issues of information security. However, I believe the more relevant question to ask is who needs to become more savvy - the company leadership about security or the security professional about business leadership?

What advice would you give to a CISO of large organization that needs to outline security ROI to the management?

Ensuring that information security projects are aligned to business projects is fundamental to demonstrating the ROI of security to the C-Suite - if you cannot establish the link it is very difficult, if not impossible, to demonstrate anything further than intangible benefits.

Start by analyzing the projects across the business, not just internal to IT, that security is enabling and talk to the business stakeholders responsible for those projects. Ask how involved security is within the project and what the value of the project is to the business. If security activities were not aligned to the project, would the project have been successfully delivered? If security cannot align itself to such projects, ask yourself why these security projects are even being conducted. Are they solely delivering a whimsical judgement by the CISO and/or CIO on what they believe should be done rather than a validated decision by the business.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th