Business executives can’t spell cybersecurity without r-i-s-k

Well-entrenched reporting structures and stilted conversations about risk are still preventing many CISOs from effectively communicating with their direct reports and company executives, a security analyst has warned as Melbourne prepares to welcome thousands of networking and security specialists for the annual Cisco Live! conference.

Board members want to talk about cybersecurity in terms of risk and value direct conversations with CISOs. However, warns Forrester Research analyst Jinan Budge, “one of the board’s biggest challenges is that we security people don’t talk in risk. We talk about security, technology, projects, initiatives, and metrics – but there is a subtlety in language and language matters that translates into strategy, metrics, and actions.”

Budge, whose presentation on the ‘art of security’ will join a host of expert speakers at the Cisco event’s cybersecurity innovation stream, notes that many organisations are still handicapping their security response by having CISOs report to CIOs or other executives who sit even further from the board.

“This means the ultimate responsibility for reporting on security to the boards rests with the CIO,” Budge told CSO Australia, noting that boards longing for a conversation about risk often end up being served up defanged PowerPoints given by CIOs who are continually balancing cybersecurity concerns against other issues.

“This is really causing a lot of tension between the CISO and CIO at the moment, and it’s very difficult to overcome,” she said. “Over-manufactured board presentations have got to go, and we need to move towards trusted dialogue.”

Planning and organisational tools such as Forrester’s CISO Strategic Canvas offer potential value towards closing the gap, but efforts at demarginalizing the CISO can take on many other forms as well.

John Maynard, vice president for global security sales, believes the right technological architectures can help ease many of the logjams that keep organisational units at odds and struggling to maintain a common conversation about security.

Greater diversity and complexity of technology strategies is partly to blame, he told CSO Australia in the leadup to his appearance at Cisco Live!, with CISOs scrambling to extend often monolithic cybersecurity practices into sophisticated, integrated cross-architectural models

“The real problems on our customers’ minds are cross-architectural,” he explained, with many customers seeing security as a moving target while they rearchitect networks around software-defined networking (SDN), software-defined WAN (SD-WAN), and other services.

“This is absolutely a board-level conversation,” Maynard said. “Customers are making sure they can build flexibility and automation and assurance into their networks, and that’s not just a networking conversation anymore. That is a secure networking conversation, and it is the seminal technology change of our lifetime.”

That conversation inevitably leads to changes – for example, diversion of traffic directly to cloud services rather than directing it through a centralised point – that require a diversity of well-integrated security tools that can be deployed as on-premises services, security appliances, cloud-based, and endpoint-based parts of a greater security whole.

To fill out this whole, Maynard’s security strategy in recent years has been driven by organic and inorganic mergers and acquisitions that have brought a wealth of security expertise into the company – and helped customers who are “fatigued” by trying to integrate their own security infrastructures.

Cisco is working to “make sure we are best of breed from a threat advocacy perspective in those specific domains and control points,” he said, noting that the company’s open-API strategy now has more than 250 industry partners.

“Our whole strategy is simplicity through native integration, and a harmonisation of policy management. This provides a path for customers to defragment, consolidate, and leverage their existing technology investments in the security domain – and it allows you to completely reconsider how and where you start to look at your security controls.”

Maynard sees the company’s message as being targeted towards CISOs and security-operations teams – but as this clearer perspective on new security architectures emerges over time, he said, it will drive “very strong positioning, and a very strong presence from a security and risk perspective.”

Driving a better risk conversation by getting more technological may seem counter-intuitive, but clarity at the security levels should ultimately trickle upwards as CISOs become more confident in conveying their security positioning and strategies.

This, in turn, will drive a better conversation about security at every level of an organisation united by a more common understanding of the security-business risk nexus.

“These are skills that each of us needs,” Budge said. “Even if we are not presenting to the board, we are contributing to the overall culture and overall success of security.”

“So, these conversations need to happen more often at all levels. If you want it to be successful and sustainable, you have to bring people along – and you have to be very crafty about how you do it.”