Security’s Visibility in the Board Has Gone Up Dramatically in Last Two Years: RSA CTO

Zulfikar Ramzan, CTO, RSA Security in conversation with enlists the top three mistakes he sees the CISOs making and delves deeper on the growing proximity of the CISO to the board.

Q. What are the top three mistakes CISOs should be avoiding?

The top mistake CISOs make even today is not focusing on security from a business perspective. Another is not being able to scope incidents and issues correctly, leaving themselves in a persistently compromised state. Often I see the security teams under-scoping an incident, thus failing to clean things up completely and rigorously. This is linked to the issue of visibility. If one doesn’t have the visibility one won’t be able to scope correctly. Thus, visibility is the means to an end here. The third mistake I see being made very frequently is not really owning and embracing identity as a critical part of the security strategy. In most organizations identity is typically managed by someone outside of the security domain even though both security and identity are really two sides of the same coin.

Q. Talking about focusing on security from a business perspective, what is the on-ground reality in terms of organizations really looking at security as a board issue?

Five years back if you asked a typical CISO as to who is in their board, they probably had no idea. But, the CISOs I’ve been talking to in the last year or two tell me that they are presenting to the board every few months. Security’s visibility in the board has gone up dramatically in the last two years. As a result, every time there is a new breach announced the first thing we hear is not only a call from that company but from the other companies in that vertical. The accountability and implications for the executive teams is also increasing.

Q. What are the implications of this shift?

The biggest impact is on the CISO role and its competencies. While talking to the board, the CISO needs have a certain business competency, including being able to talk in the language that the board understands which is the language of business impact and risk. However, this has not been the case. Today there is almost, what we call, a gap of grief between the CISO and the board as the former is more adept in talking technology and unable to articulate in the business language. The shift requires bridging this gap of grief. The CISOs need to learn translating the low level technical details that they are used to talking into the language of risk. Thus, driving more intelligent and meaningful conversations between the two.

Q. How can the CISOs build better business competency?

They have to start by asking themselves what business objectives are they trying to achieve and how to improve the state of the business. Then, they need to work backwards to figure out whether or not the investments they are thinking about making are going to help them achieve that ultimate goal.

Categories: Technology

About Author

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments