InfoSec in the Boardroom

| December 29, 2011

boardroom.jpgEli Sowash, CISSP

As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional’s toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.

It’s the job of an organization’s executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.

We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips I’ve found that help to explain our world to the businesses we’re protecting. 

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Opinions}


 

1. Boardrooms Don’t Have Grey Areas

There’s no end-state to Information Security. I often hear it described as an ‘arms race,’ a competition where there is no absolute goal. The threat is constantly evolving with each time the bad guys find a vulnerability, the good guys develop a countermeasure. The attackers answer by finding another vulnerability to exploit. A security professional must tread the line between facilitating communication while maintaining a secure state. When you’re in the boardroom; however, reality exists as black and white. I was once asked by a CEO, “Are we secure? Can we be hacked?” The best possible answer I could have given is “Yes, we’re as secure as we can be, and yes, we can be hacked.” To the person who hired you to prevent such an occurrence, these two answers are incongruent.

Instead, prepare yourself to discuss specific threats, and the countermeasures in place to prevent them. For example, when discussing the ever present ‘Internet Hacker,’ your perimeter firewall and Intrusion Prevention System (IPS) are working overtime to combat the intruder. That new Adobe vulnerability? The spam filter is tuned to scan for maliciously crafted PDF attachments, and we pushed a patch to your PC that closes the vulnerability. Keeping the company secrets off of Wikileaks? Well, there’s a proposal for a DLP solution in the hopper, if you could throw your executive support behind it… you get the idea.

2. Boil It Down Into Easily Digestible Content

Talking to non-technologists about the differences between application layer firewalls and perimeter firewalls (and how both of these technologies differ from an in-line IPS), will more often than not encourage a semi-glazed stare followed almost immediately by a compulsive need to check their Blackberry. Throw in a discussion on cross-site scripting and SQL injection, and you may as well have been speaking Romulan. Unless your executive management team has a background in technology, your message will be lost by your audience due to the use of overly technical concepts.

I’m by no means suggesting dumbing down your dialog. Senior executives are smart people and wouldn’t be in the position they’re in if they weren’t. All that means is that you need to mix a little extra description into your presentation. Principle of Least Privilege and Separation of Duties cover the majority of topics at the management level. Wielded carefully, they can apply to almost any scenario. Staying with the firewalling example, your typical perimeter firewall blocks all but the ports & protocols required to run your applications. For instance, your web server doesn’t run your email, so your perimeter firewall keeps hackers from attacking your web server on an email port. Least privilege: SMTP is not necessary for the web server to do its job, so it doesn’t have SMTP. Likewise, your email server doesn’t host your website, so throwing hacks at your website won’t harm your email system. All this is in the realm of separation of duties.

3. FUD Has No Place in the Boardroom

Keep the horror stories in the headlines and don’t scare your audience into buying in to your project. Fear, uncertainty and doubt (FUD) breed irrationality, and irrational decisions lead to failure. The risks in the ecosystem are very real and sometimes terrifying. Letting an emotional reaction play into the decision-making process, especially in the case of senior management, can artificially inflate the actual organizational risk. This means resources, both human and capital, can be diverted into less productive channels and may fail to mitigate the actual risk.

It is particularly important to keep this in mind when working with vulnerability scanning and penetration testing results. In the proper context, these reports should give senior management real insight into the security posture of the organization. Pentesters are skilled hackers. Very infrequently will they come across an organization that doesn’t have some room for improvement. The very same reports presented carelessly can wreak havoc on the InfoSec resource allocation. Present the vulnerabilities, risk to the organization, and recommendation for remediation to management as cold, hard facts. To reiterate, don’t let emotions drive the decision-making process.

Final Thoughts

The good news for us is that the field of information security is maturing, and the task of getting management support is not as daunting as it was five or ten years ago. Executive management is now beginning to appreciate the value that the InfoSec team brings to the table, even if they do not fully understand the concepts. InfoSec professionals should prepare themselves for discussions with managers at that level in order to bridge the gap between our world and the boardroom.


eli_sowash.jpgEli Sowash is a seasoned IT professional who found himself taking on the challenges of Information Security almost completely by accident. Making his way through the technical field as a small-business consultant, network administrator, software tester, support resource, and tech engineer has left him with a unique understanding of the challenges of IT from the outside in, and the application of a troubleshooting methodology to more than just technology. To Eli, Information Security issues are simply more technical nuts to crack, and he applies a practical and pragmatic approach to solving them. Until recently, Eli held the position of Director of Information Security for JoS. A. Bank Clothiers, a 1B east coast menswear retailer. He has recently decided to further diversify his IT Security experience by joining the Division of Information Systems Security and Operations for the Social Security Administration. Eli currently holds Security+ and CISSP certifications, among others, and is working towards CISM and CISA credentials.

Category: Opinions

Comments are closed.