In It is no secret that IT security professionals often struggle to get the backing they need from the management to do their job. Management folks dont always appreciate the work being put in by the security team. According to Gartners Paul Proctor, CISOs biggest challenge by far is getting executive management to appreciate (and fund) what they do and to a certain extend CISOs themselves are to be blamed for the current scenario.
A vice president and distinguished analyst at Gartner, Proctor is also the chief of research for security and risk management at the research and advisory firm. He exemplifies CISOs plight through a simple dialogue between a CISO and his CFO. It goes something like this:
CISO walks in to the CFOs office and says I need $1M to protect the company. CFO says How much did you spend last year?. CISO: Nothing. CFO: and what happened? CISO: Nothing. CFO: Ok, go do that again.
Difficult as it may seem to change the current situation, Proctor says that it can done by changing the narrative. Stop asking for money and start asking for decisions. We all live in a continuum of risk wherein we choose to spend less money and experience more risk OR spend more money and experience less risk. Explain this to the decision makers and ask them to commit to their choice as to where they want to live on this continuum, he writes in a recent blog post.
Choosing to save some money and experience more risk is a legitimate business decision. The failure is allowing executives to live there without making a conscious choice. CISOs are their own worst enemy when they position themselves as defenders of the organization because it lets the executives skate on accountability, says Proctor.
Saying the risk is owned by the business is not just a platitude. A CISO must have the ability to translate this into reality. Kids Clothes
Add new comment