New RSA Executive Research Unveils Strategies For Closing CISO-CEO Gap
BEDFORD, Mass., Dec. 8 /PRNewswire/ — RSA, The Security Division of EMC (NYSE: EMC), today released a new research report that explores the link between CEO priorities and information security strategy examining how a divide between an organization’s CEO and its security officer can detrimentally impact its risk profile and ultimate business success.
As the fifth report in RSA’s Security for Business Innovation series, Bridging the CISO-CEO Divide takes an in-depth look at what it takes to garner CEO support for a strategic information security effort. Coupled with that advice are recommendations for what CISOs should not do; taking a candid look at some potentially job-losing ways to alienate your CEO. Perhaps most importantly, the report challenges CEOs to see how their lack of support for strategic information security could unintentionally put their companies at risk.
The report is based on in-depth conversations with the Security for Business Innovation Council, whose members are the top security executives at the world’s largest organizations, as well as Michael Capellas, Chairman and CEO of First Data. (Listen to a podcast with Michael Capellas for his perspective on this report.)
“The importance of aligning security investments with the corporate agenda is now well understood,” said Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC. “Yet in spite of this progress, most security leaders are still struggling to convince their CEOs that security absolutely must be a core component of their business strategy. It’s time to get this issue solved, and success will require both CEOs and CISOs to shift how they think, act and run their organizations.”
Report Issues CISO-CEO Call to Action
Bridging the CISO-CEO Gap calls attention to the fact that many of the actions organizations are taking to survive in this economy – like using new technologies and global business models to drive efficiencies – are both innovative and risky. Never before have information security officers been in such a strong position to help their companies take the right risks in the right ways. But, first they must gain the confidence and support of their CEOs. CEOs must also recognize that their companies’ success in recovering from the economic downturn and thriving in the longer term is dependent on their companies’ ability to expertly manage the risks they are taking.
Key recommendations to help security professionals gain CEO support include:
- Establish security champions within the CEO’s circle of trust: Win over those who influence or interact with the CEO on a regular basis (the Board and C-level direct reports).
- Set up a clear organizational structure: The security organization should have an absolutely crystal clear organizational structure. It must be clearly articulated, socialized and institutionalized across the whole enterprise so people “get” what security does just like they “get” what other more entrenched departments, like accounting and finance, do.
- Make it real: To help the CEO understand the risk, make it real. As much as possible, CISOs should quantify the risks. Don’t just give vague explanations; instead describe realistic scenarios with actual numbers for probabilities, impact and financial losses. Address these within the context of the organization’s market position, vertical industry and regulatory regime.
“You have to be able to understand risk analysis as the premise,” said Michael Capellas, Chairman and CEO of First Data. “That’s where you start. This is about risk. The language of business is about risk. And if you sit in a CISO position and you can’t meaningfully talk about measures of risk and layers of risk, you’re probably not going to be successful.”
The report also serves as a wake-up call for CEOs. It underscores the need for CEOs to understand how significantly their actions and attitudes will impact the effort to protect information at their companies. To this end, the Council points out some of the top ways the CEO can unwittingly put the company at risk when it comes to information security including:
- Setting the wrong tone at the top: If organizational leaders create a culture of apathy towards protecting information, the organization will do the same. The CEO can set the right tone by actively communicating the strategic importance of this responsibility and establishing shared accountability for the protection of information throughout the organization.
- Thinking about information security as just a technology or a compliance problem: Information security needs to be viewed as a risk management problem. When the CEO doesn’t see the bigger-picture context surrounding security decisions, their company is inevitably exposed to all kinds of other risks.
- Failing to set up proper organizational responsibility: If information security ownership is not established at the appropriate level of seniority within a company, it will not be seen as serious. A role that directly impacts a company’s brand, reputation and information assets should have a security leader appointed to it such as a CISO or equivalent.
CISOs and CEOs can measure their progress in strategically aligning security and business via a private ten question interactive tool.
About the Security for Business Innovation Council
The Security for Business Innovation Council is a group of highly-successful Global 1000 security executives who are committed to sharing their own insights and experiences to help move information security forward at organizations worldwide.
Council members include: Anish Bhimani, Managing Director, Chief Information Risk Officer, JP Morgan Chase; Roland Cloutier, Vice President, CSO, EMC Corporation; Dave Cullinane, Vice President and CISO, eBay Marketplaces; Dr. Paul Dorey, former Vice President, Digital Security and Chief Information Security Officer, BP and Director, CSO Confidential; Renee Guttmann, Vice President, Information Security & Privacy Officer, Time Warner; David Kent, Vice President, Global Risk and Business Resources, Genzyme; Dr. Claudia Natanson, CISO, Diageo; Vishal Salvi, Chief Information Security Officer and Senior Vice President, HDFC Bank; Craig Shumard, CISO, Cigna Corporation; and Denise Wood, Chief Information Security Officer and Corporate Vice President, FedEx Corporation.
As a special feature, the report includes contributions from Michael Capellas, Chairman and CEO of First Data. As a Fortune 500 CEO and the leader of the largest payment card processing company in the world, Capellas is no stranger to risk.
The report released today is the fifth in the series, and RSA expects to publish more original Council reports over the coming months. Those interested in learning more about the Security for Business Innovation Council reports can visit the RSA Thought Leadership website at http://www.RSA.com/securityforinnovation/ to view and download all of the studies.
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. RSA’s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle – no matter where it moves, who accesses it or how it is used.
RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
RSA is either a registered trademark or trademark of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other company and product names may be trademarks of their respective owners.
SOURCE EMC Corporation