[Find lots of risk measurement and management strategies in Security metrics: critical issues]
Brown: You need to provide insight and leadership along the lines of, "If you want to be 100% protected, it will cost $10 million, but for reasonable protection, this is what we need to do, these are the gaps to fill."
On whether to buy that security tool:
Brown: Make sure you've signed up for something you can pull off. Many companies have these gadgets--intrusion protection and detection, wireless security--that may not reap all the benefits they initially thought they would. You put in an intrusion prevention device and put the rules on it, and people complain because they can't do this or that, so you turn off a lot of the features. You're still paying maintenance fees, but are you using it to do what you bought it to do?
So, don't rely on security vendors to provide ROI for you. Base it on what you believe you can do based on your company's culture, your team's capabilities, your team's throughput. A lot of times, you can't get the product's full potential because you just have too many things going on.
On the trend toward the consumerization of IT:
Brown: Bring-your-own-device is coming; it's a given. The fact is, my housekeeper in Hong Kong has a newer laptop and better software than I have on my business computer. Figure that one out for me.
The challenge is, don't invest in hardware and software; allow your employees to invest in that and leverage what they already own. Figure out how to integrate that into your systems. With 20,000 employees, $1,000 per computer and $1,500 per software license, it's cost-prohibitive. But if you allow people to use their own equipment, I guarantee they will come to work with the latest and greatest.
This means putting a stake in the ground--having a crisp and clear policy of, this is the device we are supporting, so you can build an app and send it out, and it's done. People would flock to it because they'd feel empowered.
On whether to play up the fear, uncertainty and doubt factor:
Berinato: The ability for CSOs and senior security executives to demonstrate calm, commanding leadership is more important than I previously thought. People in security roles naturally adapt to a crisis mentality, but if something is happening and you're saying, "This is a big deal; this is scary," it's not good. A threat combined with a lack of information causes severe stress for people.
This seems to come naturally in the physical security world, where they tend to approach problems methodically and analytically and come up with a plan, and if it doesn't work, come up with another plan. The nature of the information security threat is more amorphous and harder to control.