What we have here is ... failure to communicate?

Blog Post created by rapid7-admin on Jul 15, 2009

Originally Posted by Sheldon Malm



In an article published this week by Forbes, writer Andy Greenberg outlines a misalignment between CEOs’ value of IT Security and their lack of insight into the frequency of threats launched against their organizations. 

According to the article, 77% of Chief Executives cited Security event prevention as important or very important – significantly higher than responses from other executives within their organizations.  At the same time, surveyed CEOs grossly underestimated the amount of malicious activity surrounding them every hour of every day.  Only 3% of Corporate bosses cited external hackers as their organizations’ most pressing data protection concern.  With such a disconnect, it is no wonder that CEOs can get caught with their suspenders around their ankles when a large-scale breach or compromise occurs. 

I doubt these findings would shock many of us in the Security community (other than the pleasant surprise that 77% of CEOs value the importance of Security).  What
*is* surprising however, is the conclusion that the article draws about why this is happening.  According to the article: “CEOs' staffs may not tell them the full extent of a company's data risks. ‘Even in the most transparent of companies, there's a bit of hesitance to give the CEO a report of vulnerabilities or even small breaches’”. 

This is an oversimplification of the problem; this is not how staff members typically interface with the top boss. 

The disconnect between CEOs' value of Security and their lack of insight into threat data is not a uni-directional communication problem.  The key to understanding – and ultimately solving – the communication problem is to understand, define, and provide the information that CEOs
*need* to know.  Frequency of attacks and insider data compromise attempts do not provide the right metrics for the Chief Executive’s dashboard, although the *nature* of these threats would probably resonate.  This is a risk management problem, and Risk Posture reports are the right vehicle to bring the two poles together.  “Here are the problems, here are the things we’re doing about them, and here is our consequent risk posture”. 

This is the same approach that CEOs use to stay apprised of risk in every other aspect of their business.  Financial/Credit, Reputational, you name it – the appropriate information for the CEO is to understand the impact of risk events and the likelihood that they will occur.   Threat data may contribute to this, but they are not one and the same.  By understanding the various threats to their organization, and their risk posture in relation to these threats, top executives can become more educated about Security and assess whether their Security programs are properly aligned to manage risk effectively. 

So, this is an education problem?  You bet, but not solely an education of CEOs in the ways of Security.  Instead, this is an education problem for those of us that believe these facts (and their importance) to be self evident.  We must educate ourselves and enable the IT Executive to understand and speak the language of the Chief Executive, providing the right information at the right time in a way that makes sense for our audience.  The CEO is a business head; we are technical folk; the IT Executive ought to be both. 

The IT Executive (CIO, CISO, etc.) ought to understand the frequency
*and nature* of external threats and internal data compromise attempts.  Our role in the information flow is to ensure that he/she has this information in a timely, clear and concise manner.  The IT Executive’s role is to connect this information to the CEO’s business priorities and to let us know when he/she requires additional information. 

When viewed through this lens, we understand the constant information flow required to effectively manage risk.  We understand that we are peers with the IT Head and Chief Executive within this flow, despite the top-down nature of the traditional Visio Organizational Chart.  Ironically, Forbes understands this information flow in other areas of business, where risk management is tightly integrated with day-to-day operations.  That Greenberg did not articulate this connection in the Forbes article speaks volumes about the depth of this disconnect in the area of IT Security. 

All-in-all, a good article, but Forbes missed the opportunity to lend their unique business insight to this piece.  I hope they don’t miss the opportunity next time – we could all learn something from them.