A panel of security experts stated that a strong partnership between the chief information security officer, chief information officer, and general counsel is a key part of preparing for and responding to cyber attacks.
Sara Andrews, senior vice president and chief information security officer of PepsiCo, stated in a panel discussion at the Mandiant Cyber Defense Summit held earlier this fall that implementing cyber security plans and protecting organizations from cyber security threats is not something that CISOs can do alone.
“The chief information security officer can do everything possible to develop the best strategy, but if partners and employees don’t accept it, then we will be a mess,” Andrews said.
Communication is a recurring theme throughout the discussion.
John Carlin, the former acting deputy attorney general and panel host of the U.S. Department of Justice, said: “We have seen recent cyber attacks that have attacked the car gasoline we need and the burgers we want to eat at the barbecue on July 4.”. “An attack like this can disrupt our way of life, so it’s important to discuss in advance how to prepare for an attack.”
Andrews said that modern CISOs are business partners. Security policies should be embedded in business discussions and decision-making from the beginning, not just proposed during audit and risk committee meetings.
Teresa Tonthat, vice president of IT and CISO at Texas Children’s Hospital, added that security leaders need to share emerging risks and cybersecurity issues with executive leaders. One way is to show their investment in cyber security.
“We expand our voice and mission in front of our leadership team and stakeholders because we can’t be everywhere at the same time,” Tonthat said.
Translate for your partner
Security leaders also need to be able to translate complex technical details into business concepts for effective communication with board members and other executive leaders. Board members are paying attention to the risks faced by the organization-so security leaders need to ensure that their presentations focus on risk in order to get the board’s attention.
David Baumgartner, Executive Vice President, Chief Information Officer and Head of Managed Solutions at Mandiant, said: “We have encountered some very complex and intricate challenges. We are dealing with very specific processes and results as well as a large number of complex data sets. “So when we have a dialogue with the board, it is important to provide some background information and clarify what we are looking for.”
He said that ultimately, the board wanted to know:
- Are we still in danger?
- Are we ready?
- Are we fully funded?
- How do we deliver?
- How do we work?
“Try to be as simple as possible, put things in business terms, use benchmarks, and use comparative analysis to provide them with a perspective: how do we perform compared to others?” Baumgartner said.
Financial limitations of security policies
Designing an effective strategy and putting these ideas into action can consume a lot of time and money, but there is no unlimited budget to use. The security director needs to consider the company’s overall budget when making a request. Andrews said that establishing a strong partnership with the executive team also helps meet these requirements.
Although security leaders should judge the requests they can compromise, they should remember that every business has trade-offs. She said that having a support team and strong partnerships throughout the company can make these decisions easier and more effective.
“When the board asked me if I needed anything, I said I could always take a little more cash, but there was no unlimited amount of money,” Andrews said. “In the final analysis, the CISO is an executive, and we, like everyone else, are responsible for fiduciary responsibilities.”
