By JO TIMBUONGbytz@thestar.com.my
PETALING JAYA: Chief Information Security Officers (CISOs) have the tough job explaining the security status of the company and sometimes the data they present just draws blank stares from other senior executives.
Caroline Wong, director of regional risk and compliance product management at Symantec Corp, said many CISOs do not feel effective in executive discussions, not because they lack the necessary data but because they have trouble connecting their findings to the business.
"They shouldn't be talking specifically about IT risks but make a connection between that and how it will impact the business," she said in an interview with Bytz.
Many CEOs, Wong said, think of security as brushing their teeth or taking their vitamins. "Not exactly the most fun thing to do but something they need to do and will do whatever everyone else is doing," she explained.
According to her, there have been incidents where CEOs who did not clearly understand their organisation's state of security were shocked to hear about breaches from their corporate communications team following complaints from customers.
"This is the only time a CEO will sit up and take notice of the situation but it shouldn't come to that," Wong said.
She said there are few CISOs who are able to explain an organisation's state of security, but it's never too late to learn.
"Many organisations are still trying to find the best practices and what defences they should be investing in," she said. But having the tools alone, does not make a good CISO.
Wong, who is also the author of a book titled The Beginner's Guide to Security Metrics, believes the effectiveness of the presentation is linked to the language the CISOs use.
Using easy to understand terms and anecdotes to help illustrate an organisation's security risks does have its benefits.
Besides enlightening their colleagues and keeping company data safe, Wong said, CISOs who are able to clearly explain and justify business investment in IT security are the ones most likely to receive funding for their department.
She said tools like Symantec's Control Compliance Suite (CCS) can help CISOs come up with a comprehensive report about a company's state of security, but its graphs and charts will be wasted if CISOs do not explain the situation clearly.
"If they explain in technical terms, no one is going to really understand or even pay attention," she said. Experienced CISOs rarely use terms like "firewall" and "servers" in their presentations, according to her.
"Instead, they use terms like 'according to different business units' or 'my human resources data.' This way, there is increased accountability for various sides of the business and the CISO can tailor the conversation for different stakeholders," Wong said.
What CISOs can also do is assign scores to the risks, which will make it easier for the less-technical stakeholders to understand. Wong said this feature is available with Symantec's CCS.
"And by knowing the score, stakeholders can decide on what they need to do to meet the security requirements, and will accountable for any decisions they make," she added.
For more information on CCS, go to www.symantec.com.