CW500: Why security professionals need to rethink their role

Security professionals need to think less about technology and more about the business needs of their organisation

Most businesses think their chief information security officers (CISOs) are not doing a good job at securing their organisations, according to Mark Brown, director for advisory risk and information security at advisory firm Ernst & Young.

"Not only are they saying they don't think we are doing a good job as information security professionals, they are actually saying we are not doing a good job from the point of view of the business," he said.

Brown drew on research by Ernst & Young to challenge security professionals to start thinking less about technology and specialist security solutions, and more about the business needs of their organisation.

"We need to demonstrate the moral courage to challenge our own profession, to challenge our teams and our own way of working," he told IT security professionals at Computer Weekly's CW500 Security Club.

Company boards, he said, have lost patience with security professionals who do not understand the language of business.

"If we want to be listened to, we can't talk bits and bytes, we can't talk fear uncertainty and doubt, we can't talk hell fire and brimstone; we have to speak a language that will be listened to,î said Brown.

To win credibility, security professionals need to move from being technology blockers to become technology enablers, he said.


Mark Brown, Ernst & Young

Gareth Lindahl-Wise, BAT

Alan Jenkins, T-Systems

"Security can make business sense. It is linked to business strategy, business process and enterprise architecture," said Brown.

Measuring the effectiveness of the enterprise security architecture and being able to demonstrate that to the board is vital, the meeting heard.

Some organisations attempt to look at risk tolerance levels, while others look at the balance between investments in IT security and savings to the business. Tracking the number of security incidents over time is another common metric.

In his previous role as chief information security officer of SAB Miller, Brown said he was asked to present security metrics to the board.

"My predecessor had a metrics dashboard which talked about the number of virus events, the number of firewall breaches, the number of patches," he said.

Image goes hereMark Brown,
Ernst & Young

Brown took the dashboard idea a stage further to present the board with an analysis of the total cost of security incidents to the business.

"For me, the cost of a virus equals that much downtime, equals that much operational profit. That is what the board wants to hear," he said.

It requires an intimate understanding of the business to understand what an hour of downtime actually means.

"Can a site operate at 70% effectiveness, or does it have to operate at 100%? You can then quantify the financial impact, through risks, and that is the key success indicator the board will actually listen to," said Brown.

Gareth Lindahl-Wise, group information security manager at British American Tobacco, said security professionals should focus on making sure the security processes are right.

"It is not necessarily always a case of focusing on the outcome. It is putting faith in the idea that if you define the process correctly and you follow it, you are likely to come up with the right answer," he said.

It is a mindset that does not rely on measuring the performance of patching or firewalls, according to Lindahl-Wise.

If we want to be listened to, we can't talk bits and bytes, we can't talk fear uncertainty and doubt, we can't talk hell fire and brimstone

Mark Brown, Ernst & Young

Risk management

Risk management is one area where there is companies have a lot to learn. Too many security professionals try to take a formulaic approach to risk, a legacy from the financial services industry, according to Brown.

"How many companies have even documented what their risk attitude is, or would even know how to start to document that risk?" he asked.

For many, the answer to risk management is simply to create a risk register. "A nice little spreadsheet. Yes, it's got a bit of red, a bit of green, a bit of amber. Have we updated it? Yeah, we changed a few colours here and there. That is not risk management," said Brown.

Alan Jenkins, who has just left his role as chief security officer at T-Systems, agreed that risk management is a weak area for many IT security professionals.

"There is something about risk management that we all need to get better at. Our business acumen, our business skills, our business understanding all need to get a lot better," he said.

History shows that strong risk management can make all the difference when a company is hit by a security breach. RSA, for example, had a major security breach two years ago, which compromised the security of its smart tokens.

"The stated cost immediately after the breach was something of the order of $64m to fix it. I think we all recognise that it was a conservative number and the actual cost was a lot bigger," said Jenkins.

Yet, RSA handled the breach well, and is not only still in business, but shipped a record number of smart tokens last year.

Contrast that with Sony, which suffered a similar hacking attack. "Its market share just over a year on is something like two-thirds lower," he said.

UK business leaders' verdict on IT security 

85% state that information security is not fulfilling business needs

88% report an increase in external threats

57% report an increase in internal threats

61% cite a lack of budget as main hurdle

57% of businesses view information security resources as lacking necessary skills

62% do not align information security to enterprise architecture or business process

38% do not align to organisational risk appetite

Source: Ernst & Young

Professional certification

Another area where security professionals struggle is the lack of a widely recognised professional certification for IT security specialists.

The market is overcrowded with professional associations and alternative professional qualifications.

"We need, I dare say, to cull a lot of the societies that want to become the professional body [for security specialists], amalgamate them, and get them all to come up with one certification," said Brown.

The question is being tackled by E-skills UK, the public/private sector partnership for IT training, which has won government funding to create a cyber security skills framework.

Philip Virgo, chairman of the Conservative Technology Forum, is looking for employers to take part in the development of the framework.

"Very often, all the funding is around information security skills, except the reality is, if you are a user, you want a mixture of infosecurity skills, physical security and business understanding if you are going to deliver real value for money," he said.

The framework will aim to establish which security skills need to be in-house and which can be outsourced.

"The good news is that E-skills has done a good job corralling pretty much all the warring information security tribes," said Virgo. "The bad news is that they are all purists. That is why I need employers to beat them into shape."

Three key questions to ask about your enterprise security architecture

These three key questions will ensure that you will meet the commercial needs of the business, while keeping information secure:

  1. How does it optimise financial performance and minimise financial risk?
  2. How does it protect the brand reputation of business?
  3. How does it protect and enhance customer loyalty?

Source: Mark Brown, Ernst & Young

Adding value

If security professionals can demonstrate how they can add value to the business, they are unlikely to find difficulties winning funding, said Brown.

Those companies that have adopted security enterprise architecture approaches have seen their security budgets go up, he said.

"The budgets are going one way, and that is up, because you are actually demonstrating how they have value to the company, how they protect the value within the company, how they minimise the actual risk," he added.

Most board directors sit on multiple boards, and they don't want to be seen spending less than their competitors.

"In my experience, if you ask the right questions in the right way, you will get funded," he said.

But acquiring a business mindset can be challenging for security specialists who are steeped in technology.

Brown advised information security professionals to spend time out of the IT department, to learn the workings of the business. 

"Unless you do that, you won't get to learn the language of the business. By doing that, you also get to know who the movers and shakers are, and you learn who to contact, who can be a friend and an ally. You also learn who to avoid," he said.

Communication is also essential. Ernst & Young's survey revealed that 60% of boards only receive one or two briefings a year on security.

"If they are only getting one five-minute briefing a year, they can't be knowledgeable about the risk. We have to change the messaging and elevate the message in the right manner so it will be listened to," said Brown.

Quest for common standards

There is no unifying standard for security architecture

Gareth Lindhal-Wise, British American Tobacco

One of the biggest challenges facing CISOs is that each IT supplier approaches security in a different way.

"There is no unifying standard for security architecture," said Gareth Lindhal-Wise, group information security officer at British American Tobacco.

The more suppliers and outsourcers a company works with, the greater the complexity and challenges of getting different systems to work together.

"When you start throwing more suppliers in, you have got a slightly different feel. You multiply that challenge and complexity and confusion again and again," he said.

For Mark Brown, director of risk at Ernst & Young, the problem is analogous to having multiple firewalls on a network.

"If you have one rule, it is easy to secure. If you have multiple rules, you create overlaps and gaps. It is exactly the same when you have multiple suppliers," he said.

A new security and outsourcing standard ñ IS0 270036 ñ will offer a stepping stone to simpler security. But the prospect of a single standard for enterprise security architecture is unlikely.

"Industries and sectors may be able to get together and agree they can live with one standard, and that will help them and help the outsourcers," said Lindhal-Wise.

In the meantime, the best advice is to keep the enterprise security architecture simple.

 "If you can keep your enterprise architecture as simple as possible, with as few moving parts as possible, it will survive a lot longer," said Brown.

Case study: The T-Systems approach to enterprise security architecture

Image goes hereAlan Jenkins,

T-Systems, the outsourcing arm of Deutsche Telecom, has developed a company-wide enterprise security architecture.

Dubbed Enterprise Security Architecture for reliable ICT services (Esaris), the aim is to help T-Systems reduce costs by having a single methodology for security.

"We are trying to drive standardisation. That is becoming important to reduce costs and leverage our capabilities across the group," Alan Jenkins, chief security officer at T-Systems, told the CW500 Security Club.

The company, which provides outsourcing services, believes standardisation is essential to keep down costs for customers.

"These days we can see year-on-year cost reductions of around 6% as standard in our contract, so if we keep on delivering the same, that gap between our revenues and our cost base narrows," he said.

Esaris is a complex framework with a lot of accompanying paperwork. It draws on well-known security standards, such as ISO 27001 and PCI.

And, in typically German style, there is a significant focus on standardised processes, according to Jenkins.

"That is how we drive consistency, repeatability and quality, as those are key parts of what T-Systems seeks to offer the market," he said.

T-Systems offers clients a bespoke outsourcing service, but nevertheless places a strong emphasis on standardising its approach. Esaris offers standard building blocks, which the company can tailor to each customer.

"We aim for 70% common across an area, 20% common across an industry sector, and the last 10% specific to a customer," said Jenkins.

Increasingly, outsourcing customers are demanding evidence about the strength of their security, more often than not, because industry regulators are also demanding it.

"We need to make sure we have got the procedures in place, for example the granting of administration rights, so we can track who had got root access and who has not," he said.

Keeping an audit trial of systems changes is a challenge in itself. "We have one architecture, 20 concepts, 31 standards, 500 security measures and more than 12,000 pages [of documentation], and growing," said Jenkins. "We are a German company after all."

Read more on Managing IT and business issues