Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Bob Bragdon Publisher, CSO
Communicating as a CSO
August 3, 2012
©CSO Magazine, Confidential & Proprietary, August 2012
2
Stand Up!
Do this with everyone in your organization, from the Chairman to the receptionist
©CSO Magazine, Confidential & Proprietary, August 2012
3
CSOs trying to communicate with senior management…
Some are good at it, and others still have some groundwork to do.
©CSO Magazine, Confidential & Proprietary, August 2012
4 ©CSO Magazine, Confidential & Proprietary, August 2012
5
The Good
©CSO Magazine, Confidential & Proprietary, August 2012
6
The Good
Business attire
Organized
Prepared
Focuses on “the balance”
©CSO Magazine, Confidential & Proprietary, August 2012
Risk
Business Opty.
7
The Bad
©CSO Magazine, Confidential & Proprietary, August 2012
8
The Bad
Excellent at solving technology problems, not so much on the strategy
or, excellent at the strategy, not so much on the execution
Not great at translating risk into business language
Viewed by management as “just another IT guy – the one who won’t let me use an Android”
©CSO Magazine, Confidential & Proprietary, August 2012
9
and The Ugly
©CSO Magazine, Confidential & Proprietary, August 2012
10
The Ugly
©CSO Magazine, Confidential & Proprietary, August 2012
11
Nearly Half of Respondents See Their Organization as a “Front-Runner” in Information Security Strategy and Execution
Section 2 – A world of front runners: Respondents categorize their organization
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
FRONT-RUNNERS
STRATEGISTS
TACTICIANS FIREFIGHTERS
We have an effective strategy in place and
are proactive in executing the plan
We are better at “getting the strategy right” than we are at
executing the plan
We are better at “getting things done”
than we are at defining an effective strategy
We do not have an effective strategy in
place and are typically in a reactive mode
43%
27%
15% 14%
Source: 2012 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2011 ©CSO Magazine, Confidential & Proprietary, August 2012
12
More so than ever before, security executives are speaking from a
position of power
So why don’t they act like it?
©CSO Magazine, Confidential & Proprietary, August 2012
13
Employing CSOs and CISOs is a big priority
85% of businesses, globally, employ a CSO, CISO or both • More than half of the remaining businesses cite hiring a CSO or
CISO a top priority over the next 12 months
Where does the CISO report? • CEO 34%
• Board of Directors 29%
• CIO 27%
• CFO 15%
• General Counsel 11%
Source: 2012 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2011
©CSO Magazine, Confidential & Proprietary, August 2012
14
Risk Issues Touch Every Aspect of the Business
of enterprises have someone in the CSO/CISO role
Source: 2012 Global State of Information Security, PricewaterhouseCoopers, CIO, CSO, 2011
RISK ISSUES
Intellectual Property & Brand Protection Business/Competitive Intelligence
CMO
Investigations and Background Checks Ethics
HR
Regulatory Compliance Safety/OSHA
Legal
Physical Security Business Continuity
COO
Fraud Prevention Loss Prevention
CFO
Infosecurity
CIO
Privacy
CPO 85%
©CSO Magazine, Confidential & Proprietary, August 2012
15
“ Security Top Consideration in Company Investments
“ “Spending on information security is growing faster than spending on general technology. Global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today.”
– Gartner
Cloud
Data Center 93%
Mobile 72%
of respondents are concerned about cloud security.
of respondents say that security/risk management is at least a somewhat important business driver.
of respondents plan to invest in security and data management software for mobile.
67%
Security is the
#1 response
©CSO Magazine, Confidential & Proprietary, August 2012
16
Security Budgets Stable/Increasing
Q. Compared to the past 12 months, will your organization’s overall security budget increase, decrease or remain the same in the next 12 months?
Source: State of the CSO, CSO magazine, 2011, Harvey Ad Measurement Study, CSO Dec/Jan 2011 issue
$ $
$
$
$
$
$ $
$
$
39%
9%
52% $ $ $ $
Average Annual Security Budget: $205 million
However, the amount spent on security is even higher as security investments are often split with IT.
“Enterprises see more and more of their IT budget consumed with costs to secure their environment.”
– Chris Liebert, Curtis Price, Christian A. Christiansen, IDC Analysts (Worldwide and U.S. Security Services 2011–2015 Forecast and Analysis , May 2011)
$
$
$
$
$ $
$ $ $ $ $ $ $ $ $ $ $ $
Remain the same
©CSO Magazine, Confidential & Proprietary, August 2012
17
The Elevated Role and Reach of the Security Executive is the New Reality
Q. In the past 12 months, has your organization's senior management placed more, less or the same value on risk management? Does your organization use a formal Enterprise Risk Management process or methodology that incorporates multiple types of risk?
Source: State of the CSO, CSO magazine, 2011; 2012 Global State of Information Security, PricewaterhouseCoopers, CIO, CSO
No Change 35%
Less Value 4%
More Value 61%
Focus on Managing Risk Not Just Security
©CSO Magazine, Confidential & Proprietary, August 2012
18
The CFO’s view of the world: Cloud Computing
Source: The Business Value of Cloud Computing Survey, CFO Publishing LLC, June 2012 ©CSO Magazine, Confidential & Proprietary, August 2012
19
The good news: your CFO “gets” the risk
Source: The Business Value of Cloud Computing Survey, CFO Publishing LLC, June 2012 ©CSO Magazine, Confidential & Proprietary, August 2012
20
So where’s the love & respect?
It has to be earned…
over and over again
©CSO Magazine, Confidential & Proprietary, August 2012
21
CBI2
Credibility Business value and benefit Impact (financial) Impact (operational)
©CSO Magazine, Confidential & Proprietary, August 2012
22
CBI2
Credibility • Deliver on what you say • Don’t say it unless you mean it • Reserve FUD for those “special” occasions
Business value and benefit • Always communicate business value and benefit – chances are your sr.
mgmt. audience doesn’t get what you do • Always take a logical thought through to its conclusion
Impact (financial) • Explain the financials – upside & downside
Impact (operational) • Understand the operational impact of your actions
©CSO Magazine, Confidential & Proprietary, August 2012
23
Understanding what security does
How often do you meet with the Board of Directors? • What do you discuss with them?
How often do you meet with your CEO? • What do you discuss with him/her?
How often do you meet with your CFO? What do you discuss with him/her?
How often do you meet with your VP Sales? What do you discuss with him/her?
Can your head of HR describe what you do? Can the receptionist describe what you do?
©CSO Magazine, Confidential & Proprietary, August 2012
24
Sales 101
Pick your battles
Know your audience
Have your Elevator Pitch ready at all times
ABC
©CSO Magazine, Confidential & Proprietary, August 2012
25
A little incentive
©CSO Magazine, Confidential & Proprietary, August 2012
Carve your Rosetta Stone
Security/Risk
Need Budget
Incident response
Headcount
New regulation
Business
New business initiative
New competitor
Innovation (payback?)
New regulation
©CSO Magazine, Confidential & Proprietary, August 2012
27
Final thoughts
Play the part – be a senior executive
Politic – nothing wrong with glad-handing and kissing babies
Speak the language: business not technology, risk not security
Power and success come from a position of strength…exactly where the profession is now
©CSO Magazine, Confidential & Proprietary, August 2012
28 ©CSO Magazine, Confidential & Proprietary, August 2012