Depending on the size of the organization, the person who has the most impact on driving security advancement could be a C-level or board member, but non-executive administrators, and sometimes the one man IT/security show is the person paving the path.
Whoever it is, every business needs someone who makes security not only a line item on the budget but also a part of the overall culture. More often than not, though, organizations prioritize security for one of two reasons.
Josh Feinblum, vice president of information security at Rapid7 said,"Companies that care about security have either a progressive leadership team that believes it is important, or it is a company that has gone through a major event."
That's why in many situations, it is no one person who has an impact as much as one event. While most executives hope that the tide is changing, "The current state is more reactive," said Feinblum.
There are definitely companies focusing on securing absent of catastrophe or regulatory drivers, but he continued, "It is frequently because they have other companies demanding it."
As a result, it is more common that a security team is advocating for some advancement for a long time. "One of the greatest issues is getting [two-factor authentication] in place. Not so much at the firewall, but on all of the internal systems designed within a data center," said Feinblum.
In addition, there are a lot of issues with network segmentation and with patch or vulnerability management, he said.
Sometimes it's external rather than internal forces that drive security advancements in organizations, particularly with mergers and acquisitions. Feinblum said, "They might say, we're only going to do this deal if you can get this fixed in the next six months."
Darrell Drystek, ISSA senior member, ISACA board member
Inside an organization, the executive team that really believes in and values security has the greatest impact. Without that, Feinblum said, "You are fighting an uphill battle. If they don’t believe it’s important, it’s going to be de-prioritized."
In order to drive security advancement in any business, there needs to be a pragmatic and strong voice representing security, a CISO or senior level security person. "The savvy leadership teams are really trying to not worry about checking boxes. They are asking how do the bad guys operate and what do we need to disrupt them," Feinblum said.
For that reason, small organizations have a greater challenge. Travis Rosiek, chief technology officer at Tycoon, said, "They are understaffed, and their budget is pretty small. Typically they are doing IT work and security on the side. Keeping the lights on and systems up and running takes precedence."
With a single person who is both heading IT and juggling security, there is little chance that they are going to have deep expertise across the different facets needed to reduce all risk.
"The executive's job in smaller companies is fighting for the budget. Security is a fraction of the IT budget. IT is pretty small and then a fraction of that for security doesn’t buy you much," Rosiek said.
But smaller organizations do have an advantage in some regard. "IT and security teams are usually strong and interdependent. When there is a crisis or something suspicious, they are used to banding together and collaborating really well," Rosiek said.
As more companies come to understand that everyone is a target, boards have become much more involved. "There’s still a lot of organizations that think the threats are targeting different businesses and not them," Rosiek said.
Those progressive organizations that are more mature will have a CISO or CIO that has real visibility. Rosiek said, "From a maturation perspective, when the CISO is direct report to the CIO and has an audience with the board, those organizations are definitely prioritizing security."
On the other hand, where the CISO is three or four levels down and has no visibility, they have a great challenge getting budget approval. That's why the people that want to really drive security advancement in any company need to be communicating directly with the risk owner.
"Whether you're dealing with a fortune 500, mid-size, or mom and pop, the risk owner has to determine the acceptable or tolerable risk," said Darrell Drystek
ISSA senior member, ISACA board member, and owner DDDrystek Consulting.
People want to feel secure, but few people want to really think about security. "We as security people have to make things simple for them. Educating them on what the value of data is," said Drystek.
[ ALSO ON CSO: Where to cut corners when the security budget gets tight ]
"Most business directors would never dream of ignoring risk when it comes to funds, but there is a disconnect there in terms of data," Drystek continued.
That's why the communication needs to happen directly with the risk owner. Those enterprises that understand that risk is directly connected to business are the ones that are paving the way with sophisticated security programs.
Fortune 500 companies usually have a very regimented structure of layers to go through before getting to the board level. Those layers of both formal and informal communication most often enable security teams to get information into the right hands.
"What I use as a prod is data quality, both integrity and availability. Security risk is business risk. Compliance is a weak form of security where it becomes an insurance issue," Drystek said.
"For SMBs, you’re dealing with the owner or very close to the owner. It's harder to get them to pay attention unless you have the right sort of in. Data quality and protecting business plans is the in," Drystek said.
Where the highest percentage of data loss and theft is the result of sloth and apathy, said Drystek, "The root cause of all those problems is a failure of governance. It’s a management problem, not a technical problem. Executive level has to set the tone for the organization."
That's why in larger enterprises, "The CISO usually becomes the person who drives both the strategy and the budget. They usually have a team," said Hitesh Sheth, CEO at Vectra Networks.
It's often seen in the Fortune 50 companies, said Sheth, that "The CISO is still heavily involved, but the board is involved as well. IT becomes a regular topic at the board of directors."
When more stake holders are involved, "It creates more budgetary room, and more robust dialogue. It forces everybody to be thinking about the broader set of issues. If you are a vendor, there are more stakeholders that they need to get buy in from," Sheth said.
The companies that are the most nimble, that have found that balance between budget available and ability to move at speed, said Sheth, are the Global 2000 businesses.
"These organizations are just the right size. They can move at speed on their own and they keep abreast of what’s coming to market. They do their own research. The CISO drives security advancement with a larger team," Sheth said.
Regardless of the size of any company, the greatest impact comes when there is emotional buy-in from their stakeholders. Because one of the greatest hurdles to overcome in advancing security is the perception that security is about restrictions, the security leaders need to build relationships in order to get that buy-in.