CISO/CIO Summit Roundup: Three Key Takeaways
Last week, I had the good fortune to be able to attend two CIO and CISO summits that brought together local security professionals and several hand-selected security vendors. I was able to sit in on several presentations and speak with a number of executives, and it was insightful and illuminating to be able to hear firsthand about the issues and the goals that drive these professionals and their employees.
Following are three quotes I heard during my travels last week. They resonated with me not only because they helped to define critical challenges CISOs and CIOs face, but because they transcend the technical space. These points have value regardless of your organization’s structure, your specific role, or your day-to-day activities.
Leave politics to the politicians
Let’s face it: political landscapes are not confined to government entities and campaign trails. But as one CISO cautioned, getting caught in a political game can undermine your efforts and distract you from important goals at hand. He stressed building relationships over playing politics, which essentially means that your interactions should have purpose and integrity. Forging connections for purely political reasons can leave you with a reputation and burdens that are counter-productive to your objectives.
‘Sell’ decision-makers on new ideas, don’t ‘educate’ them
As Thornton May, a leading IT futurist, said in a keynote speech last week, your organization’s leaders don’t wake up in the morning wondering what you can teach them. As such, approaching your Board of Directors with the thought of educating them about an initiative can leave you frustrated (and lacking in budget). Instead, sell your ideas by way of compelling business drivers. One CISO emphasized the value of presenting decision-makers with a thorough, actionable plan that highlights deliverables, explains needs, and maps goals to business objectives. In so many cases, it’s not the what but the why that changes a red light to a green light.
Compliance does not equal security
This was perhaps the most memorable quote I heard last week, and this notion was addressed from both a technical and non-technical perspective. It’s a viewpoint that should be carefully considered as more and more rules and regulations appears across the marketplace.
Why did this quote resonate with me? Maybe it’s because compliance, in essence, is a game of minimums. These are standards or activities that require “box checking”; organizations meet a set of requirements so they can say they’ve met them and because they’re told they have to meet them, not because they necessarily see the value in them. Often, there is no desire to go above and beyond the compliance threshold because…well, what’s the point?
And here is where you will find the gap between being compliant and being secure. Yes, compliance-related activities can help make your systems, processes, and procedures more secure. But it’s in the evaluation of what security means for your organization and your organization’s needs that will lead you to recognize that the way you check the box matters. The quality of products used and the robustness of a solution can make a difference, and choosing better paths can bridge the compliance/security gap.
Security awareness and training programs offer excellent examples of how varying approaches can yield wildly different results. Many industry regulations require organizations to deliver awareness and training to their employees — but they don’t specify how to do it. As we’ve told you before, not all cyber security education methods are created equal. You simply will not get the same results from a once-a-year PowerPoint presentation or video montage that you’ll get from a thoughtful, integrated, responsive program that allows you to assess vulnerabilities, deliver interactive training, reinforce key messages, and measure results. And yet both approaches will allow you to check the box on compliance training.
The best advice for connecting the dots between compliance and security is to regard compliance as a starting point rather than the end game.