The group all agreed that IT is becoming a more complex issue. Elements like the cloud, software providers, and interconnectivity have created a vastly different technology landscape than in years past. The group settled on 5 different things that highlight the how to address this in the future. The first thing needed is a cultural shift. Security must involve the business and communicate priorities to the top level down to the bottom. It also becomes important to consider, “When do the folks developing the products, building the apps, giving the data to third parties, creating what the business really is, when are they actually thinking about security?” Security must be made a priority early and throughout these processes. The group didn’t feel that we necessarily have to do more than what we’ve been doing in the past, we just have to do it differently.
Second, the group also agreed that some of the things we’re going to have to do might require more money, but the efforts we’re going to have to make aren’t necessarily greater in quantity, it’s just a matter of refocusing them in different ways. We’re still going to have the technology and we still have to know what the processes are, we just have to worry about how to do it more efficiently.
The third point focused on the importance of risk management and how it’s more critical than ever before. The idea of avoiding all breaches has been replaced with the idea that “there will be one, so how do we deal with it?” The issue then becomes how do you get the board to see what it’s going to look like? How do you get your business to see how badly you’re going to be portrayed when the media says, “You should have done this?” If you have the right story, if your company was doing the right things, you’ll look a lot better. There is no such thing as perfect security but showing diligence can help your organization in the face of a breach.
The fourth point looked at how security evolves faster than general technology. Boards keep asking why security teams ask for more and more money. The CIO sees budget reductions as IT is commoditized, but this isn’t the case for information security. The team agreed that if you have the right governance structure, it doesn’t matter where you report. That governance structure has financial priority or responsibility to go to your executive committee and say “The CISO is right. He needs money to put in an APT platform.” No one person in the company has that money, but rather it has to come from the company’s bottom line.
Finally, the group discussed the issue of how to convey in terms of the business, “What’s the cost we have to pay?” A lot of this issue goes back to benchmarking and showing “this is how well we’re protected” compared to peer organizations. Finding something that resonates with your executives to see where you really stand is key. If you’re going to try and do something innovative, there are certainly going to be risks involved, but you should be able to take those risks. This however requires that you find a way to get that message in front of the board.