Page 1

7 THINGS Every CEO Should Know

About Information Security Policy and Process Reign Supreme

The Costs of Ignoring Security

Emergence of the Borderless Enterprise Security is a Boardroom Issue Traditional Security No Longer Works

Increasing Insider Threats

Well-Organized & Focused Cybercriminals

7 Things Every CEO Should Know About Information Security Unless you’ve been living under a rock, you

If that sounds like your organization, then keep reading. Hopefully, once you’ve

probably realize what a hot-button issue

finished this ebook, you’ll see how important your role is in maintaining a secure

information security has become for the modern

environment, why it isn’t a good idea to cross your fingers and hope the tech guys

enterprise. Maybe you’ve already mobilized a C-

have everything under control and why compliance with security regulations won’t

level security executive to develop a comprehensive

solve all of your problems.

security program, maybe you’ve just asked your CIO to get a handle on things, or maybe you’re just

As a CEO, I understand the complexities and nuances of leading an organization

fantasizing that security incidents can’t possibly

to profitability and success. And as an expert in the security industry, I also have

happen to a company like yours. Either way, you

a clear picture of how the very best businesses protect themselves. These two

probably recognize the magnitude of trouble companies face when a breach,

perspectives put me in a good position to talk to you—CEO to CEO—about the

caused by their practices, hits The Wall Street Journal. And like many CEOs, you at least

most important components of information security and why you should know

have an inkling that your company has room to improve its security practices.

about them. There’s no marketing mumbo-jumbo here, just straight talk about a topic that can very well impact your bottom line and the ability for your business to

Currently, there exists a troubling disconnect between information security personnel and top decision-makers within the enterprise. According to last year’s

deliver its product to customers.

Ernst and Young global security survey, almost one-third of information security

Pat Clawson

professionals never meet with their board of directors, and most meet less than

Chairman & CEO, Lumension Security™, Inc.

once a quarter with their corporate officers and business unit leaders.

Table of Contents

1. Security is a Boardroom Issue 2. The Costs of Ignoring Security 3. Well-Organized & Focused Cybercriminals 4. Increasing Insider Threats 5. Emergence of the Borderless Enterprise 6. Traditional Security No Longer Works 7. Policy and Process Reign Supreme Conclusion: The Security Role of the CEO

7 Things Every CEO Should Know About Information Security

1. Security is a Boardroom Issue Contrary to what some CEOs may think, information security is absolutely a

Clearly, your peers are standing up and listening because their feet are being held

boardroom issue. Even though it sometimes may seem as if security issues end up

to the fire by regulators. In some ways, this can be a good thing. It has definitely

being mired in technical details, it is clear that ignoring them altogether can impact

helped bump up overall awareness of security topics amongst the C-suite. As one of

the bottom line, the brand and shareholder value. These aren’t technology issues;

my customers puts it, his department is starting to finally get the input he believes

these are core business issues.

information security personnel should have.

If a business chooses not to set security policies, or sets them so loosely that they

“In the last few years, I’ve started to see a change. Traditionally, we’d be ignored,”

If a business chooses not to set security policies or sets them so loosely that they suffer a highly publicized attack, it could find itself ostracized by its largest customers and its partners.

suffer a highly publicized

he says. “Even if you’re a C-level person, you never really got the inclusion that the

attack, it could find itself

rest of the C-suite did. That’s starting to change. I find my department becoming

ostracized by its largest

included in more business decisions. Anytime people are looking to do their due

customers and partners.

diligence in acquisitions and mergers, we’re consulted.”

These types of risks are boardroom issues and they should be discussed by you and your advisors, no matter what their technical background

64% of corporate executives reported compliance as the principal information security driver.

Lumension Security’s Chairman and CEO Pat Clawson sits down to provide executive-level insight into effective and data-centric corporate security.

looks like. But compliance as a security driver is a double-edged sword. According to John

Currently, most executives only focus on security in relation to complying with

Pescatore, analyst with Gartner Research, executives and board members should not

security regulations such as HIPAA, Sarbanes-Oxley and PCI Data Security

be so quick to throw their security spend on compliance efforts.

Standards. In last year’s 10th annual Ernst & Young global information security survey, approximately 64 percent of corporate executives reported compliance as the

“Really, it is dangerous to hang your hat on compliance as a justification for

principal information security driver.

everything,” Pescatore says. “From a boardroom point of view, we think security should be protection-driven, not compliance-driven.”

Guidance for Boards of Directors The way he sees it, compliance fines pale in comparison to the cost of an actual

Executives need to oversee a security program that meshes the security needs of their

security incident that can occur when proper precautions are not put into place. If an

specific organization with the demands of regulators to prove security. They need to

otherwise compliant organization misses a certain piece of the security puzzle, not

recognize that the organization has an ultimate responsibility to secure its data and

included in “XYZ” regulations, and suffers a “denial of service” attack, then it stands

that of its customers.

to lose a lot more in lost revenue than if it had been secure but non-compliant. CEOs really need to eliminate the mentality that being compliant with regulations means their organizations are secure. Compliance is a measurement against regulatory standards, not necessarily a measurement of overall security. Look at the recent breach at New England’s Hannaford Brothers grocers. In that case, the company claimed that it was PCI compliant when the incident occurred. Even if this claim was true, compliance didn’t shield Hannaford in the court of public opinion—

Executives need to oversee a security program that meshes the security needs of their specific organization with the demands of regulators to prove security.

and it won’t shield your organization if something similar happens to you. “What I tell CEOs is make sure your security program is protecting your customers In my opinion, there is definitely a wide-scale wake-up call that still needs to happen

and protecting your business. Then give the auditors what they need for you to

at the executive level in regards to this security compliance misconception.

demonstrate compliance,” Pescatore says. “Decide what controls are needed to protect the business and customer data and then add some additional reporting functions that demonstrate compliance for all of them.” This is not only a safer and saner way of doing things, it is usually cheaper to boot.

“To achieve effectiveness and sustainability in today’s complex, interconnected world, security over information assets must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. Implementing effective security governance and defining the strategic security objectives of an organization are complex, arduous tasks. They require leadership and ongoing support from executive management to succeed. Developing an effective information security strategy requires integration with and co-operation of business unit managers and process owners. A successful outcome is the alignment of information security activities in support of organizational objectives. The extent to which this is achieved will determine the effectiveness of the information security program in meeting the desired objective of providing a predictable, defined level of management assurance for business processes and an acceptable level of impact from adverse events.” Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006

Cutting the Cost of Compliance without Compromising security

2. The Costs of Ignoring Security Many of the most publicized security failures in recent years can be attributed to

proceedings can put a big dent in the bottom line. Add to that the cost of litigation,

short-sighted leadership decisions to save a few bucks on security in the short term.

regulatory punitive fees and the cost of consultants to perform an investigation of

Take TJX’s (TJ Maxx) record breach of 94 million customer records—it all came as a

the breach and it becomes clear why breaches cost so much. The shame of it all is

result of an upper level management directive to wait on upgrading wireless security.

that once this money has been laid out, the new scrutiny you’ll face will force your company to spend more on the security program you should have implemented in

Why not spend that money up front and avoid all of those millions in breach costs?

the first place. Why not spend that money up front and avoid all of those millions in breach costs? The largest cost associated with ignoring security, however, still may not be completely quantifiable. The loss of brand equity is a huge risk posed by lax security practices, one which many CEOs need to address. Brand is the bedrock

As a CEO, what risk to the bottom line are you willing to assume for the sake of

upon which most major enterprises build. When that bedrock cracks, many

saving a few dollars in the coming years’ budgets? In TJX’s case, they’ve paid

businesses have a hard time recovering.

hundreds of millions of dollars as a result of the breach—many, many times the amount it would have cost to upgrade their technology and practices.

Pat Clawson sits down to discuss the biggest compliance challenges and how organizations can effectively address compliance.

Remember ValuJet? The high-flying discount airliner had a quality brand in the mid1990s until one of its jets crashed into the Everglades in 1996. The disaster proved

Last year, one of the security gurus with Forrester Research took a quantitative look at just how much poor security practices were costing enterprises. Analyst Khalid Kark found that the average security breach can cost a company between $90 and $305 per lost record. The financial effects can be staggering for a company with millions of customers. Kark used a number of very real factors to come up with this projection. First of all, data breach legislation in most states now puts companies on the hook to disclose

...they’ve paid hundreds of millions of dollars... many, many times the amount it would have cost to upgrade technology and practices.

any data breach to those affected. Just the sheer cost of going through notification

What I wish my CEO knew about security… so damaging to the ValuJet brand that the company had to buy AirTran for

In a 2006 study conducted by the CMO Council, over 50 percent of consumers said

its identity and completely purge the ValuJet brand from its corporate memory.

they would either strongly consider or definitely take their business elsewhere if their personal information were compromised by a business. Even more disconcerting,

Granted, a large security breach will rarely result in the loss of human life. But

more than half of business executives said they would either consider or would

the ValuJet incident still offers a stark lesson in how corporate negligence can

recommend taking their business elsewhere if a business partner suffered a security

destroy a brand.

breach that compromised their corporate or customer data.

If a large bank is found to be at fault for not protecting its data assets, and customer

Interestingly, the CMO Council study also found 60 percent of marketers believe that

information is spread around the world, the event will hit the news. In turn, that

security and IT integrity offer an opportunity for brand differentiation. Yet 60 percent

Clearly, executives who choose to ignore security are not only gambling their company’s brand and good name, they’re also losing an opportunity to differentiate themselves from the rest of the crowd.


of these same marketers said security has not become a more significant theme in

will lose

their company’s messaging and marketing communications.

brand equity, lose existing

Clearly, executives who choose to ignore security are not only gambling their


company’s brand and good name, they’re also losing an opportunity to differentiate

loyalty, and will

themselves from the rest of the crowd.

“The most difficult part of being a CSO or CISO is getting CEOs and CFOs to understand that IT security is a part of life, just like fire and flood insurance. You hope you never need to use it, but if you don’t have it and you have a fire, you can lose everything. If you don’t have a strong information security practice in place, the same thing can happen. Support is key, and if you work with your CEO and help him or her understand what value IT security has on the big picture, this will go a long way in gaining the support of different business divisions. If you educate everyone from the top down, it helps tremendously.” Richard Linke, Vice President and CSO for Global Security Management Inc.

have a harder time drawing new customers with its nowdamaged reputation. The

same goes for health care companies, insurance companies, big retail chains, you name it.

Cybercrime Economy

3. Well-Organized & Focused Cybercriminals CEOs really need to stop deluding themselves and understand that their information

The enormous payouts from such antics have driven cybercriminals to dial up their

is worth being stolen. If your data is poorly protected, your business is essentially

risk thresholds and their ingenuity levels. “Cybercrime today is targeted, it hits

just setting out gold bars in an unprotected window so that any opportunistic bad

deeply, it tries to be stealthy, rarely making the news, and often those attacks on a

guy can come and take what he likes. Some of the “gold bars” are different for each

damage-per-incident level are 10 to 50 times higher than the costs of things like the

business–perhaps secret recipes for food manufacturers, blueprints for engineering

Slammer worm and other high-profile attacks we used to see,” says John Pescatore,

firms, programming code for software developers. Other “gold bars” transcend

analyst with Gartner Research. “It’s way higher than what a simple virus used to cost

industry verticals. Every business risks confidential information about partners,


sensitive customer data and potential sales leads when they don’t shore up security. In 2007, the U.S. Government Accountability Office estimated that cybercrime costs The cat is out of the bag that all of these data tidbits are worth a considerable

the economy $117.5 billion a year. And yet, I still hear CEOs ask, “What would they

amount to competitors and identity thieves—most modern hackers already realize

want with my organization? They’ve got better targets to attack. It’s not like I’m a

this and are well on their way to figuring out how to steal yours without you even

Fortune 500 company.”

knowing it. That thinking is all wrong. The thing is that most hackers are smart enough to See, it used to be that the bad guys in cybercrime were simple script kiddies, just

recognize that smaller companies don’t spend the kind of money and effort securing

in it for the rush of defacing company property and getting their props from news

their information that the big boys do. If you aren’t spending on security, then you

reports. Their attacks were meant to be visible, so it was very clear when they

become the better target to attack.

occurred. But money changed all of that—hackers saw a dollar sign attached to the technical feats they could accomplish and they switched gears. Nowadays, the crooks

Think about it. If I’m a hacker planning to make some money by selling personal

are trying to fly under the radar, sneaking in to pillage data stores undetected so they

identifiable information to an identity thief, who would I rather attack? A large

can do it again and again to the same target-rich environments. In poorer Eastern

multinational bank that likely has billions of dollars invested in information security?

Bloc countries, hacking corporate systems is a job for some people. They go to work

Or a small credit union that probably hasn’t fully secured its systems? It’s like asking

and hack American companies for other companies or for well-organized crime rings

a burglar whether he’d rather sneak into a house with unlocked doors or crowbar his

perpetuating identity theft.

way into a deadlocked home. He’ll pick the unlocked house every time.

Cybercrime has grown into an extremely mature black market with major players often employing more sophisticated business methods and partnerships than many legitimate businesses. Tom Espiner with CNET wrote a particularly illuminating summary of the cybercrime ecosystem in his article, “Cracking Open the Cybercrime Economy,” published Dec. 14, 2007: “Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as and In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account. Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as “money mules,” can also take up to 50 percent of the funds to move the money via transfer services. Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.“ 

Debunking the Most Common Myths about Data Protection

4. Increasing Insider Threats It isn’t just those well-funded adversaries outside the business that you, as a CEO,

It happens all of the time, and in many cases the damages can be in the hundreds

must worry about either. There are also numerous threats much closer to home—

of millions of dollars. In February 2007, it came out that a senior chemist at

literally inside the business.

DuPont stole $400 million worth of data and tried to leak it to a third party. In just a six month period, this trusted employee downloaded about 22,000 abstracts and

According to Gartner analysts, 70 percent of the security incidents that cost

16,700 documents. He was eventually ferreted out by DuPont’s IT staff and taken to

enterprises money involve insiders in some way or another. Companies often spend so

trial for his transgressions—but for every one of those caught there are many more

much time and money worrying about threats outside the enterprise walls they often

who actually get away with it.

forget about the dangers that lurk within. The risks posed by employees and trusted partners can run from out-and-out fraud, all the way down to simple user errors that

As a CEO, I understand that trust

cause system insecurity and open them up to attack. Typically, both are caused by

is an important part of running

lack of controls and poor oversight of employee computer activities.

a business. But I also realize that while I can trust people up to a certain extent, I have to set

The risks posed by employees and trusted partners can run from outand-out fraud all the way down to simple user errors that cause system insecurity and open them up to attack.

boundaries around trust.

...70% of the security incidents that cost enterprises money involve insiders...

Lumension Security’s Senior Vice President of Business Development Rich Hlavka sits down to debunk the most common myths about data protection

Just as a company wouldn’t think twice about auditing the books and doublechecking ledgers, it should be standard practice to keep track of access to valuable data assets and risky computing activities that could cost the business a mint. Too many companies choose not to monitor employee interaction with intellectual property and sensitive data, and eventually pay a steep price for their lack of verification. And even those who choose to monitor general staff forget to watch the

Especially damaging are the cases of intentional theft when employees remain

waters, leaving IT administrators with far more account access privileges than their

unmonitored or have unconrolled access to sensitive data or systems.

jobs require. Besides, even the most trustworthy insiders are capable of triggering a security event that can send a business reeling.

Did you know ? “The insider threat hasn’t gone up; there have always been dishonest employees,”

Does your organization

Pescatore says. “What has gone up, and what the real insider threat is employees

have a way of tracking how

trying to do their jobs using technology that we didn’t first make safe. And then,

information is being copied

oops, information is either accidentally exposed or left open such that a fairly simple

and transported? Does it

cyber attack can get to it. That represents thr majority of growth of insider incidents.”

have a way of protecting

Does it have a way of protecting the data at rest, in motion and in use?

data at rest, in motion and in use? As a CEO, you should at very least know the Some employees may not know they are doing anything wrong. They’re just doing

answer to those questions, because your job very well may depend on it.

what they think needs to be done to do their job. Everyone within the security field has heard of numerous cases of people copying sensitive databases to their mobile

Because employees and trusted partners with access to your information will take

devices and bringing them home from work. It happens every day, and every day

risks if they aren’t aware of them, education plays a big part in curbing insider threat. Education is huge because simply telling errant employees not to do something

Does your organization have a way of tracking how information is being copied and transported?

doesn’t always have the desired effect. People sometimes justify bad behavior when they are under-the-gun; they think, “I’ll just do it this once,” or “They didn’t really

Most insider events are triggered by a negative event in the workplace. Most perpetrators had prior disciplinary issues. Most insider events were planned in advance. Up to 87 percent of attacks didn’t require advanced technical knowledge. Approximately 30 percent of incidents happened at the insider’s home through remote access. From the Insider Threat Study conducted by the National Threat Assessment Center of the U.S. Secret Service and the Software Engineering Institute at Carnegie Mellon University, 2005

mean it when they said not to do this.” It is the job of your information security department to educate users and make sure they understand why taking certain actions puts the business at risk. And it is your job as the CEO to back up the Chief Information Officer (CIO) and to really emphasize the stakes at hand. Often the only

that your employees do this, they are putting your organization at serious risk. If that

way employees will listen is if the directive comes from the top, so give your infosec

device is lost or stolen, you face a serious breach with all of those costs I mentioned

personnel some support.

earlier. Education can’t do it alone, however. The only way to truly keep insiders to their word is through automated policy enforcement, smart monitoring technology and effective use of account restrictions.

5. Emergence of the Borderless Enterprise Many business-side leaders don’t fully appreciate all of the holes and points of

Plus, as I just mentioned, you have got lots of potential “bad apple” employees who

weakness that exist in their network today. They figure that after green lighting

are automatically allowed access inside network boundaries. It has gotten to the

the CIO to spend buckets of money on firewalls and other network defenses, the

point where there isn’t an impenetrable border around the enterprise anymore.

Mobile Devices — The New Mobile Threat

organization should be pretty well fortified against assault. The problem is that since that money has been spent, the enterprise has changed and the CIO has been forced to change the technology that supports the business. In this age of super-connectivity, they’ve been asked to provide more ways to give employees and partners access to information. In the process, insecure systems that were never meant to be

In this age of super-connectivity, CIOs have been asked to provide more ways to give employees and partners access to information.

Nearly 75 percent had off-line devices lost or stolen in the last two years and of those 42 percent involved the loss of sensitive information.

connected to the Internet are now online. Information portals

Unfortunately, most businesses have been unable to adjust their security programs

are poking holes in the network

to account for this borderless enterprise. In a study of 735 CIOs conducted by the

infrastructure all over the place,

Ponemon Institute in 2007, more than 60 percent of them said their organizations

data is leaving the network on

still place more importance on network security issues than any other. Approximately

portable storage devices, and

62 percent said their off-network controls are not “rigorously managed.” And yet,

mobile devices are enabling

62 percent said that they have a lot of unprotected confidential information on off-

people to move outside the

network systems. This assumption of risk has lead to a much higher rate of incidents

network with sensitive data while

involving those off-line devices—nearly 75 percent of the managers surveyed had one

coming back onto the network

of these devices lost or stolen in the last two years, and of those, 42 percent involved

with infected systems.

the loss of sensitive information.

Lumension Security’s Vice President of Security Technologies, Chris Andrew, sits down to discuss how security has moved beyond the endpoint with the convergence of business and personal tools.


What I wish my CEO knew about security… These numbers aren’t meant to scare you. I’ve brought them to light so that you understand why your CIO keeps knocking on your door to talk about data protection— these days, that is the name of the game in security. Executives today must recognize that security is no longer about fortifying the network, it’s about protecting the data. We’ve already established that the crooks aren’t looking to simply break your network. They want to get their grubby little hands on your data.

Executives today must recognize that security is no longer about fortifying the network, it’s about protecting the data. These bad guys are no dummies—they know how to exploit holes in the network and how to take advantage of offline systems and endpoints in order to gain future access to your data stores. If the endpoints and the data are protected, it becomes a lot harder for the criminals to steal information. Your technology leaders must be able to satisfy the needs of your staff and partners to access appropriate data while maintaining appropriate control and monitoring of that information to ensure it remains safe. In the end, organizations need to make sure they’re

“For me, it’s got to be the application level security and code-security. In our company and a lot of companies, security is still seen as an IT process, you do some IT things, development does their things. Making the argument that code security, revision control are so absolutely important that often times they can be the invalidation of all the controls that I’ve put around things. If someone screws up and makes a code error, it’s now dumping your databases to the Internet. So, that’s going to become one of the next hot items – database and web application security in multiple ways. Getting some kind of insight into your code’s security is very important. It’s not being properly communicated by anyone at this point. Mostly because people don’t have a hard grasp of the application threat landscape. There are a few people who understand it, and to my knowledge, they work for their own companies. They’re independent contractors. They’re not convincing CEOs that that’s important. A lot of the other people out there just haven’t gotten it yet.” William Bell, Director of Security for

not giving away too much free access at the expense of the company’s well being.


6. Traditional Security No Longer Works So now that the climate has changed and we operate within a borderless enterprise,

Executives must have their technical staff focus on the squishy center that exists

it is imperative for company and technology leadership to realize that the security

inside that perimeter exoskeleton they’ve built up over the years. Otherwise, crafty

model they’ve depended on for so many years is broken.

bad guys are going to attack from the inside out.

Simply installing antivirus and firewall perimeters no longer helps businesses

Think about it, with all of your employees demanding connectivity online and

effectively defend themselves. There are too many ways around the network

online portals directing customers and partners to data from the outside, there

perimeter. Those well-funded criminals I already talked about are using clandestine

are loads of little back doors leading directly into networked data stores. And if

How to Make Whitelisting Operationally Efficient & Manageable

code that cannot be detected by mass-marketed antivirus software, that only offers protection from known attacks. That’s not to say that these older technologies no longer have a place in the enterprise. They still do a reasonable job protecting enterprises from old attacks and act as a good, existing first layer of defense. “The real key is figuring out how to make the perimeter security less expensive and then be able to deal with where the threats are starting to bypass the traditional forms of security,” says Pescatore, “because there are new forms of attacks and there

Why attack the network directly when I could simply get an employee to visit an infected website that will load a Trojan onto their system and will grant me access into their system and into wherever it is connected?

Lumension Security’s Senior Vice President of Americas, Matt Mosher sits down to discuss the advancements in Endpoint Security with Operational Whitelisting.

are always these waves of old attacks that come back.” We recently had a customer say to us, “I can’t tell you how many of my peers find

I’m a bad guy, why would I try to go through the fortified front door when I can

it easy to fund and implement perimeter security, but find it harder to do so for the

just waltz through the back door and ride the wave of connectivity directly to your

needed internal security.”

most valuable data? Why attack the network directly when I could simply get an employee to visit an infected website that will load a Trojan onto their system and will grant me access into their system and into wherever it is connected?


Vulnerability Management in a Web 2.0 World If you have nothing to prevent that, they’ve already won. They’re establishing an outbound connection right back to their system which means you’re toast and your firewall means nothing. Businesses who have recognized the death of security as they once knew it have kept their protection programs up-to-date by shifting focus on areas such as internal network security and monitoring, endpoint security and configuration management. Most importantly, the most successful security practitioners have begun to supplement the old guard in technology with proactive security through whitelisting. Unlike the traditional method of blacklisting the “known bad” programs and application, whitelisting only lets the “known good” execute within the enterprise environment.

“Both the threat environment has changed and our priorities have changed so that we really need to get into protecting the information itself,” Mogull said. “So that’s where the concept of information-centric security comes from. Which is why people are saying ‘Why don’t we look at the tools and techniques we need to protect the data and not just protect our networks?’” - Rich Mogull, Securosis, from March 2008 Baseline Magazine article.

Senior Director of Solutions and Strategy, Don Leatham, sits down to discuss Vulnerability Management challenges in a Web 2.0 world, and how to defend against these threats.


7. Policy and Process Reign Supreme One of the real dangers of working with technical executives is that some of them

As in many other aspects of the business, tools support a solid foundation laid by

tend to fall so completely in love with certain technologies that they fail to remember

effective policies and processes. It is your job as the head honcho to guide your Chief

their overarching goals. This particular malady infects a lot of people in security, who

Information Security Officer (CISO) to make sure he or she isn’t using technology as

unfortunately focus on buying and implementing tools they view as a panacea.

an ineffective crutch.

As a CEO, you probably already know that there’s no product in the world that can

“So if every time there’s a problem and the only thing your CISO is suggesting is

completely solve a complex business problem. It is no less true for information

technology, you should poke ‘em with a stick,” Pescatore says. “You should say, ‘Wait

security than anything else in the business.

a minute, where’s the process change or the other things that always have to go with

“...we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”

technology to make it work?’” These “other things” need to include risk assessment, standardized procedures, boundary setting around what employees should and shouldn’t be doing with systems and data, and also setting baselines on how systems are configured. From there, the technology can monitor and enforce all of those policies and procedures, providing reporting to prove to the auditors that everything is working.

“Information security by technical means is not sufficient and needs to be supported by policies and procedures,” wrote Chaiw Kok Kee in a SANS Institute whitepaper on security policies. “Security polices are the foundation and the bottom line of information security in an organization. Depending on the company’s size, financial resources and the degree of threat, we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”

5 Basic Tenants of Information Security

“Information security governance requires senior management commitment, a security-aware culture, promotion of good security practices and compliance with policy. It is easier to buy a solution than to change a culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, untrained, careless or indifferent personnel. Information security is a top-down process requiring a comprehensive security strategy that is explicitly linked to the organization’s business processes and strategy. Security must address entire organizational processes, both physical and technical, from end to end. The five basic outcomes of information security governance should include: 1. Strategic alignment of information security with business strategy to support organizational objectives 2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level 3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively 4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing information security investments in support of organizational objectives” Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006


What I wish my CEO knew about security… If your CISO is doing a good job setting policies, the SANS policy guidance suggests

“If I could have a CEO

that he or she will be:

boot camp, I’d say, ‘Make sure you put

Identifying all of the assets that need to be protected

security top of mind

Identifying all of the vulnerabilities and threats and the likeliness

to all of your direct

of the threats happening

reports: your CFO, your CIO, your HR people,

Deciding which measures will protect the assets in a cost-effective manner Communicating findings and result to the appropriate parties (i.e. you and the board)

The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either.

your sales people and so on,’” Pescatore says. “For most businesses today, the product is information and security is key. So you have to make sure that your top reports understand that security is part of their evaluation. It’s not just the CIO’s responsibility. It is part of life for every one of your

Monitoring and reviewing the process for improvement along the way The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either. As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT

direct reports.”

“Information security is not simply an IT issue. Information security is the responsibility of every employee beginning with the CEO. Awareness, detection and remediation is also everyone’s responsibility. We can invest in tools that will mitigate the risk, and tools to audit how well we are mitigating the risks, but at the end of the day, it is the individual users who most significantly impacts the security of information at an organization. If we start with the idea that the management of the investment we have in information is of paramount importance, we will make decisions that ensures its security throughout all levels of the organization. In this way, the products, policies, procedures and audits you put in place will not be sidestepped, downgraded or ignored for the comfort of the end user.” Tony Hildesheim, Vice President of Information Technology Washington State Employees Credit Union


As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT department.


Conclusion: The Security Role of the CEO Obviously, chief executives don’t play a detailed day-to-day role in information

The CEO has to be the one that constantly challenges the organization to understand

security. You probably don’t know how to administer a vulnerability scanner, nor

its risks and needs to be constantly reviewing security progress as part of the

should you. But understanding security can have such a dramatic effect on an

quarterly review process. Are we right on track with initiatives? Have we suffered any

organization’s bottom line, it is clear CEOs need to provide strong leadership

incidents lately? Have our competitors? What new threats are cropping up. These

on the matter.

are the types of questions that the CEO must ask of the CIO or CISO on a consistent

A Practical Approach to IT Security Risks

basis in order to keep that company messaging relevant. It should be an ongoing, According to many of the CISOs we speak with here at Lumension Security, the only

dynamic process instead of one where the CEO is simply the recipient of information.

way to get user buy-in for major infosec initiatives is by relying on support from the top of the food chain. As a CEO, you have a chance to set a culture of security that permeates into every silo, department and remote office you maintain. As our customer Bell puts it, “When it comes from the CEO, it’s a bigger deal than when it comes from the security officer. You’re going to get more penetration through your enterprise. The folks in accounting are going to go, ‘Oh! It’s the CEO!’ They

Pat Clawson discuss how organizations can implement a practical approach to identifying, prioritizing and responding to IT security risks

don’t care about me, but they’ll listen to the CEO. There are a lot of companies with silos that are so deep these days that the security departments don’t have a lot of visibility. If you can work to get some kind of company message, it’s helpful.”


Lumension Security™, Inc. 15880 N Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260

7 Thnigs Every CEO Should Know About Information Security is licensed under a Creative Commons Attribution 3.0 United States License.

7 Things Every CEO Should Know About Information Security  

In this eBook, Pat Clawson CEO & Chairman of Lumension, provides his insight of the 7 key issues that every CEO should know about Informatio...

Read more
Read more
Similar to
Popular now
Just for you