What I learned when I left security
Much has been said about the great divide that keeps business leaders from truly understanding the perspective of security professionals. One way CSOs can close that gap is to simply cross to the other side.
We found four professionals who did just that, including three former CSOs who now hold other business roles and one former security journalist who is an editor at the renowned business publication Harvard Business Review.
They shared with us their new perspectives on how they view security and risk management from across the chasm.
We spoke with four former security professionals who now hold business roles. Here is a brief bio on each:
Now: CEO at Mitre 10, a retailer in New Zealand.
Then: Hartmann spent the first 10 years of his career as a supervisory special agent with the FBI, after which he joined Cardinal Health as vice president of security. He moved into an information security risk management role at Home Depot, after which he served in a series of business roles, starting with long-range strategic planning and culminating with the role of chief operating officer for Home Depot Supply Electrical.
(In our early days, Hartmann helped CSO gather management advice from Patrick Lencioni; read that interview here.)
Now:Director of Global Program Deployment, Avery Dennison, based in Hong Kong.
Then: After serving in the military, working as a policeman, running the computer department of a ski hill and then joining a computer startup, Brown moved into security at Veritect, where he was a consulting director and trainer. He joined Avery Dennison as a manager of network security and then IT director.
Now: Runs the program management office at Bangor Savings Bank in Maine.
Then: Blake started as a network security architect at Netegrity and then became a vice president of information security at BindView (now owned by Symantec). After serving as CISO at Liberty Mutual, he changed paths to become a financial advisor at Wells Fargo.
Now: Senior Editor at Harvard Business Review.
Then: Berinato helped launch CSO Magazine in 2002 after covering security, technology and business topics first at PC Week, and then at CIO magazine. His in-depth security coverage won numerous national journalism awards.
On the importance of a business mind-set:
Charlie Brown: When I first moved into the business, I went to the website to do some research, and our Web filtering software wouldn't let me go to Abercrombie because it identified it as pornographic material. Another thing it wanted to block was "XXXL," which is a size of clothing, so it kept orders from going through.
So one of the insights I would offer is to really understand the markets you're in. Sixty percent of the volume in the garment industry comes out of China and Asia. You can't create a security policy if you don't understand what the great firewall of China is all about or the cultural differences of how people work in Indonesia and Bangladesh. You can't have a data center migration policy if you don't understand people in some countries work Saturdays, don't work Fridays and don't celebrate Christmas.
John Hartmann: If I could change one thing about my career before transitioning into the business, I would have spent more time understanding the inner workings of how the business made money. Every company has a different business model and a different way of being profitable.
[Read more about the business role and value of CSOs]
Understanding that profit model will give you a more balanced perspective around how you make proposals and position important initiatives, whether it's information protection or computer security or business continuity. It will help you think more broadly about what solution should be pursued and how you should implement it in a cost-effective way.
On what "networking" really means:
Scott Blake: What I understand better now--and wish I understood better as CISO--was the importance of networking. I thought I understood it, but not as well as I do now, and the time I spent being a financial adviser was incredibly helpful for that.
Security and IT people tend to be very analytic, and we tend to want to persuade with facts and data. But getting a client to understand what they need to do to secure their financial future is a very emotional thing for them, and the same is true in the information security world. You need to make an analytical connection, but you also need that emotional connection.
If I'd known that when I was a CISO, I would have done a lot more networking and paid a lot more attention to the emotional piece of the case I was trying to make.
On understanding business leaders:
Scott Berinato: I now realize that business leaders are consumed with so many responsibilities that you'd be lucky to get six minutes of their time. I'm not saying it's impossible to get business execs to hear what you're saying about risk, but it's become more clear to me why the disconnect exists and will continue to. There's no secret formula that will get CEOs to understand, care about and consistently consider what are--to them--remote, vague threats. If it's not an immediate threat, it's hard for them to focus on it.
I've learned this is not something that will be fixed or overcome--it's just something that has to be managed. The best you should hope for is an executive who will empower you to be a strategic part of the organization and will actually give you the floor to talk about what you need to talk about. People trust leaders, so the most effective thing a leader can do is show people, "Hey, this stuff matters." That's more powerful than trying to get them to understand in detail how online threats work.
[Also read Security and business communication 101]
That has shifted my thinking from trying to effect a massive culture change so everyone is thinking about security all the time, to realizing that that's impossible. What is possible is being able to communicate on a regular basis with the right people.
Blake: It's very difficult to communicate at scale. It's much more effective to communicate one-on-one. With my financial advising clients, I could send a letter out and some might take it to heart, but if I sat down with them, it would have a significant impact. The same is true when you navigate corporate America. The security department can send out emails all day long, but they still need to make individual connections. You need to convince leaders and key influencers one-on-one, who can pass it on through the rest of the organization.
A mistake some CISOs make is focusing just on the CEO, but sometimes it's more effective to convince everyone else who the CEO listens to.
Drawing a parallel with being a financial adviser, a lot of times when you're dealing with a couple, often one will defer to the other, but it's not always obvious which is which. There are key influencers on the other side of the table, and being able to influence them is key to being convincing.
Brown: There's a different dynamic when you're working in the business versus for the corporate entity. In the business, you're dealing with budgets and outages and screaming customers.
When I take somebody from corporate with a $100,000 pet project out to the manufacturing floor and show them how many tags and labels we need to make to make $100,000 in profit, it blows them away.
On knowing end users:
Brown: Security starts with the end user--that, by far, is the weakest link, with the proliferation of passwords and end users not educated about what makes a computer and network secure. So to get on their radar, I would focus on leveraging automated or long-distance training through quick, five-minute webinars or infomercials, with one or two key bullets of, "This is what we're talking about this week. Let's do this thing really well next month." It could be about passwords, secure use of wireless, paying attention to who you friend on Facebook, thinking before you double-click on that attachment and what to do if you think something is fishy.
Information security isn't 100 people--it's three, four, five, 15 key people in the organization. You need to think about how to leverage their expertise, get them in front of the end users in an enticing way so you're not offending but embracing them.
Blake: Security professionals tend to gravitate toward a cartoonish vision of end users--that they're not competent or they don't understand technology. But that's not true--they do understand the need for security, but they chafe against it when they don't see the value or can't do something they want. It's more of an education issue than anything else.
Users have a desire to do the right thing. They don't want to put the company at risk, but they need to get their job done, and that's their first priority. So security professionals need to make sure things are as easy as they could possibly be--not because it improves compliance, but because it improves users' ability to do the right thing, which is what they already want to do.
The discussion needs to be, "Here's how you can do what you need to do in the right way." It's not, "Don't send confidential information in an email," but, "Here's how you can communicate that information in a secure manner."
On balancing risk and cost:
Hartmann: Business isn't black-and-white. You need to strike a balance between what's required to protect the business and running the business in a cost-effective way.
A perfect example is how, after 9/11, disaster recovery and business continuity planning got a whole new focus, and many companies learned from those discussions about the balance between running a business and thinking about the many issues they could face that we didn't think about before. Many companies have made disaster recovery planning an annual part of their risk assessment, while for professionals involved in this type of work, it's part of their daily responsibility.
[Find lots of risk measurement and management strategies in Security metrics: critical issues]
Brown: You need to provide insight and leadership along the lines of, "If you want to be 100% protected, it will cost $10 million, but for reasonable protection, this is what we need to do, these are the gaps to fill."
On whether to buy that security tool:
Brown: Make sure you've signed up for something you can pull off. Many companies have these gadgets--intrusion protection and detection, wireless security--that may not reap all the benefits they initially thought they would. You put in an intrusion prevention device and put the rules on it, and people complain because they can't do this or that, so you turn off a lot of the features. You're still paying maintenance fees, but are you using it to do what you bought it to do?
So, don't rely on security vendors to provide ROI for you. Base it on what you believe you can do based on your company's culture, your team's capabilities, your team's throughput. A lot of times, you can't get the product's full potential because you just have too many things going on.
On the trend toward the consumerization of IT:
Brown: Bring-your-own-device is coming; it's a given. The fact is, my housekeeper in Hong Kong has a newer laptop and better software than I have on my business computer. Figure that one out for me.
The challenge is, don't invest in hardware and software; allow your employees to invest in that and leverage what they already own. Figure out how to integrate that into your systems. With 20,000 employees, $1,000 per computer and $1,500 per software license, it's cost-prohibitive. But if you allow people to use their own equipment, I guarantee they will come to work with the latest and greatest.
This means putting a stake in the ground--having a crisp and clear policy of, this is the device we are supporting, so you can build an app and send it out, and it's done. People would flock to it because they'd feel empowered.
On whether to play up the fear, uncertainty and doubt factor:
Berinato: The ability for CSOs and senior security executives to demonstrate calm, commanding leadership is more important than I previously thought. People in security roles naturally adapt to a crisis mentality, but if something is happening and you're saying, "This is a big deal; this is scary," it's not good. A threat combined with a lack of information causes severe stress for people.
This seems to come naturally in the physical security world, where they tend to approach problems methodically and analytically and come up with a plan, and if it doesn't work, come up with another plan. The nature of the information security threat is more amorphous and harder to control.
Blake: Selling security with FUD works, but it's not necessarily the best way to do it. You can also emphasize the positive things security can do for a business. Having seen that security is top of mind for internal clients in the financial services industry, I now know that I should have looked at security as a service provided to internal customers, a value brought to the table.
On why security is more important now than ever before:
Brown: Looking back, I'm more paranoid about security now than I was back then. We didn't have these consolidated hacker groups like Anonymous that wanted to prove their point, whether to GM, the Vatican or whatever. How do you balance your security posture when at any moment, you could be subject to someone with more manpower and time than you have? There's a lot of damage that an external group can do to a company if they have it out for you. They're coming at it from a specific angle, and it's difficult to anticipate from a business standpoint.
Hartmann: Generally speaking, the business does not fully understand how serious the threat is to the critical infrastructure, network data and proprietary information from foreign governments, foreign companies, domestic competitors and others with less than legitimate intentions. Security professionals need to continuously educate about these risks and work to implement balanced risk mitigation plans and tools.
Berinato: The disconnect between the realities of security and the pop media treatment of it presents a challenge, especially in the hacking world. All of that is very real and very dangerous, but I can't tell you the number of stories I read in respected media outlets that dumb down or misconstrue the threat.
Ever since 9/11, security has become a pop culture phenomenon. There are lots of popular myths, simplifications and ideas that people take to heart, and security professionals have to understand and dismantle these and help re-explain things in the right way.
On why security professionals would enjoy a business career:
Hartmann: Security-related backgrounds provide a strong foundation for working in a core business role. Whether it's an inquisitive mind-set, interacting with a large variety of people from all walks of life or keeping an open mind to how the story might unfold--these are skills that folks with security backgrounds have that, when applied correctly, pertain to the business itself. To this very day, I draw on skills and techniques I learned in my early career.
Having a risk-averse perspective is actually a positive thing in business. As long as it's not taken to the extreme, this mind-set forces you to come at something from different angles to reach a strong conclusion. If you're going to market with a new product or approach, asking all the right questions will result in the highest possibility of success for that new project.
Brown: You don't get the short-term wins on the security and technology side that you get on the business side. It's a refreshing place to be. There's not a week that goes by where I'm not negotiating a million-dollar bid, whether it's Abercrombie calling, or Victoria's Secret wanting neon pink thread, or I need to make unicorns appear--immediately!