Contextualizing Privileged Account Security for the C-Suite: The Importance of CISO Communication Skills
December 1, 2015 | Security and Risk | John Worrall
In a recent Fortune Magazine article, “The 21st Century Club,” Editor Alan Murray wrote, “We are now in the early stages of a third Industrial Revolution, with an entirely different economic logic that is causing fundamental changes in the structure of business.” He also noted, “The 21st century will belong to those who embrace that disruption rather than fight it.” This is also an era of fierce competition and today’s C-level leaders face tremendous pressure to innovate and grow while driving digital transformation across their organizations.
With this business environment and rapid change, companies also have to proactively protect IP, brand and other assets. Among increasingly numerous strategic priorities, C-level leaders also have to plan for cyber threats that will affect business. Heightened media coverage of data breaches – many involving compromised privileged credentials – has increased the C-Suite’s interest in cyber security programs. Industry statistics show that 80 percent of board members say that cyber security is discussed at most or all board meetings, while 87 percent of CEOs are concerned about cyber threats, and half are ‘extremely concerned.’ The interest is there, but now there has to be sustained focus and attention to effectively roll out enterprise-wide security programs. To get C-level buy-in, CISOs must not only share the right amount of information, but also the level of detail that will resonate the most.
Gartner’s Paul Proctor provided an example of this. For an automobile CEO, he noted, it’s best to translate security problems into a language s/he understands – car production in this case. Executives know that one new automobile rolls off the assembly line every 90 seconds. That means an hour of IT downtime results in 40 fewer cars being assembled. Effective communications would focus on this type of a cause/effect. Ideally, the security mangers “report less cars in inventory to their executives, not IT downtime. Their executives don’t care about IT downtime; they care about cars.”
As their roles continue to evolve, CISOs recognize the value of effective communication skills in gaining executive cooperation and building lasting support for enterprise-wide change.
Azeem Bashir, former CISO at Fujitsu, echoed this advice in a recent CSO piece, stating, “Communication is essential. If the board is not listening to you, then rolling out your strategy or transformation program is just a tick-in-the-box. You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories.” He also advises CISOs to get advice from peers, to be less driven by tick-box compliance and to be more focused on agile leadership and TQM (top quality management) in order to address business risk.
On that note, CyberArk is championing an industry initiative called the CISO View to ensure CISOs can learn best practices from their peers. It’s no surprise that communication was among the key topics the 12 CISOs from Global 1000 companies explored in the inaugural CISO View report, The Balancing Act: The CISO View on Improving Privileged Access Controls.
The CISOs interviewed offer practical recommendations for communicating more effectively, building a powerful case, and ultimately, getting buy-in from the executive team to bolster an organization’s privileged account security program. The report includes recommendations based upon their experience rolling out enterprise wide privileged account security programs.
In the report, Gary Harbison, Chief Information Security Officer for Monsanto Company says, “Make it real. Show the executives how business data can be accessed through privileged accounts. It’s the quickest way for an attacker to go after data and one of their main tools to drive a data breach.”
Within the report, some of the data the CISOs recommend for building and presenting a case for the C-suite includes:
- Analysis of high profile breaches as they relate to your company
- Penetration testing results
- Compliance requirements
- Proof-of-concept results
You’ll also find detailed information on the key metrics that these experienced CISOs have used to help the C-Suite understand the value of a privileged access management program and how to best track the progress.
Ready for more actionable advice? Download the report.