Elliott Franklin, Director of IT Governance & Security, Loews Hotels
The C suite has many priorities to balance, and while Information Security is one of them, should it be placed higher than other business risks? Running a business in any industry vertical is not without risks — sales goals, theft of IP, rising salaries, rent, lawsuits, just to name a few. At any moment, the business could be at risk of going under. Information Security is certainly on this list, and while many folks argue that the C suite doesn’t take security seriously enough, I would ask how well it has been sold. Fear, Uncertainty, and Doubt (FUD) is a common technique that security leaders use to try and get a seat at the table. However, while it may work short term, it’s not a winning strategy. Instead, I would challenge security leaders first to learn the business. Learn the short- and long-term goals. Understand the current business landscape. Then and only then, build a security roadmap to protect the business based on their existing processes and procedures.
Even in the year 2019, many companies do not have a person dedicated to information security. So, where do you start? Start with an industry-accepted framework such as the NIST CSF. The reason I use NIST is that it is very easy to understand and explain to executives. Identify, Protect, Detect, Respond, and Recover. And there are many free self-assessment spreadsheets that you can download to score where your organization is today. This will help you identify weak areas for your multi-year roadmap.
When building your roadmap, do not think technology first, think business and process first. Many security gaps can be remediated by changing processes.
Security can save the company money and reduce complexities
With over 3,000 security vendors, we often hear that if we just purchased enough of their products, we could prevent any breach from ever occurring. Some vendors even offer a breach guarantee now. While this is interesting, the technologies must not be working due to the daily breaches that we read about.
To be successful in the boardroom, security leaders need to clearly articulate how their roadmap will help the business, not just secure it. Think about multi-factor authentication as an example. While it’s hard to prove ROI on this, you can market it as something that will improve employee satisfaction. How? Because once you have MFA on all external facing systems, you can reduce the number of times per year that you force employees to change their password. NIST recommends only changing passwords once per year if you are using MFA. What about implementing Single Sign-On or an Identify and Access Management system. These can be complex and expensive, but if you are able to show the number of hours of productivity gained by team members having access on day one as well as having the correct access, you can demonstrate their value. In addition, if you are highly regulated, the number of hours spent on access reviews will go down drastically since it will be automated now.
And finally, I love it when I start a new role and run a full vulnerability scan. Understanding that many applications are now in the cloud, this still gives some great insight into a full application and server inventory. Using this list, the security team can usually save the company money because many systems may still exist that were deployed by a former team and are no longer being used, but the company is still paying for them. In addition, this can help determine if there are multiple tools performing the same function. As such, you can consolidate and save the budget once again.
Security can save the company money and reduce complexities. Robotic Process Automation and Security Orchestration and Automation are great for patching and vulnerability management as well as self-service user provisioning and application deployment. However, for this to work, there must be a great partnership between the Security and the Infrastructure teams. Security can frequently be perceived as a big brother amongst other IT teams. By running scans, we point out problems with how the infrastructure team has configured or patched systems. Or how the application team hasn’t used the OWASP top 10 lists with their SDLC. The partnership is the key to this challenge. Don’t send up your first security dashboard without giving the apps and infrastructure team a heads up and give them a chance to respond. Don’t just send a PDF of the problems and expect them to fix them in a week. Work with the teams using a defect tracking system. Be a part of the solution! This is how to win friends and influence people and earn a seat at the C suite table!