The CIO role in cybersecurity: Advice from a former White House CIODate: Mar 13, 2013
Cybersecurity and data privacy were hot topics at the recent Fusion CEO-CIO Symposium in
Madison, Wis. As cybercriminals take on bigger, more high-profile targets, businesses are beginning
to pay much closer attention to issues of security. They are and will be looking to the CIO and IT
for answers. How can CIOs best prepare for these boardroom conversations? Former White House CIO
Theresa Payton, now CEO at Fortalice LLC, a cybersecurity solutions company based in Charlotte,
N.C., sat down with SearchCIO.com to share some advice. First up: Stop doing what you're
Karen Goulart: I'm starting to hear -- and in fact I've heard a few folks here at the symposium saying -- that the topic of cybersecurity is something that's coming up in boardrooms now, thanks to some recent high-profile hacking incidents. Are you finding this to be true, and what would you advise CIOs to do in the face of this?
Theresa Payton: I am seeing it as a trend, and I think it's a healthy trend that the boards are thinking about risk and security in the same sentence. How do we bolster our security? How do we manage risk and at the same time, be a good business, making money and being productive -- so the boards are discussing it even more.
Security needs to be something that's seen as a part of the corporate culture -- not a once-a-year 'check it off the list.'
Theresa Payton, former White House CIO and cybersecurity expert
You know, it's interesting; I just read a study where the CIOs and the CISOs are saying, 'I'm briefing the CEO of the company and I'm briefing the board all the time [on security].' The study went on the flip side and asked the CEOs of those companies how often they get a security report -- a 'State of the Union,' if you will -- on their company from the CIO or CISO. Only one-third said they ever remembered seeing one. So for those of you who think you're communicating, my point in bringing that up is, you probably aren't communicating in their terms, according to their goals and according to their directives. So you've got to find a way to connect the security briefings you're doing to important business initiatives; otherwise, obviously you're sending the reports up, and they're not even recognizing that they're getting them.
Do you have any advice on how best, or better, to do that?
Payton: Some advice would be, again, look at the company strategy. Are there three key objectives for the year? Are there five? And literally tie your security conversation around those company objectives. So talk about a key project that's getting ready to be delivered and talk about how some of the security changes that you're making are going to support that project. You need to talk in terms of the things that are on the minds of the board, on the minds of the CEO and tie that so you show that you're actually adding value.
Good advice! What are the biggest blind spots companies have when it comes to cybersecurity and how can they be addressed?
Payton: You know, it's interesting; one of the emerging blind spots that I think we're going to see exploited much more this year than last year are the social media platforms. And a lot of companies aren't really thinking about, No. 1, the personal use of their employees using social media, and then the corporate use. There's a lack of policies and procedures, or the policy is just, 'If you're not in marketing, don't use it.'
I have an example of a company that, just by leveraging social media, we were able to guess their enterprise architecture for their data centers. We started first on LinkedIn, with very detailed resumes, but from there we went to support chat boards, to blogs, to all different types of places. Now, again, we had an unfair advantage -- we knew what we were looking for -- but at the same time it was all open source information. And by assembling that information as good guys, we were able to show this company how their social media platform put them at risk.
What do security providers need to be doing right now to improve security?
More about cybersecurity
Board members focus on cybercrime; CISOs, CIOs rejoice
CIOs shine as cybersecurity takes the limelight
Cybersecurity education versus cybersecurity training
Payton: It's interesting; there's a lot of focus on products. Buy this latest product, and it keeps these types of attacks and threats out. And I think that's helpful, but at the same time, it's not holistic. And I think that the security industry, especially the product providers, need to show how their product is part of a holistic solution, instead of thinking about it as sort of a zero-sum game: 'You have to buy my product because you only have so many dollars, and don't buy their product because you need to spend it on mine.' The need to be actually thinking about a strategic enterprise architecture for security and educating their clients and providing that thought leadership to say, 'You know the threats that are coming at you. The security that you need requires this type of enterprise architecture, and here's the piece that we solve for.' So instead of just trying to elbow everybody else out to make sure you're at the table, give them a more thought leadership; give them some strategies and some ideas on what they can do that doesn't necessarily involve selling your product.
Often security problems can be traced back to human error that's not necessarily malicious; it's employees downloading things they shouldn't be; it's a lack of education. Who do you think is the best person in the enterprise to communicate the security message to employees, and what sort of approach would you suggest they take?
Payton: Depending on the size of your organization, you may not have a learning and training staff on board, but if you could have somebody who's got either a good communications mindset or a good training mindset and pair them up with your security experts, you're going to develop a more robust and a more meaningful educational awareness program than if security just drives it by themselves. And, you can; don't make it an event, but actually part of the corporate structure and DNA.
Think about how far we've come with diversity training; think about how far we've come with fraud training at companies. With that type of training, it a lot of times started with HR, but it's become part of most companies' DNA. That's really where security needs to get to. It needs to not be that thing the security group does; it needs to be something that's seen as a part of the corporate culture -- not a once-a-year 'check it off the list.' It's posters, it's conversations, it's case studies, it's healthy competitions where you're playing Internet safety games, it's a variety of different things. And in the beginning, it's got to focus on the individual, because that's how they're going to remember it. Right now their job is not security; their job is doing the task their boss gave them. The last thing on their mind on that task list is what you told them in a security briefing. But if you can train them how to be safer in their personal life and at home, that is going to carry over into how they conduct themselves in the office.
Let us know what you think about the story; email Karen Goulart, Features Writer.