1. Bridging the CISO-CEO DivideRecommendations from Global 1000 Executives and a Fortune 500 CE0Report based on discussions with the Security for Business Innovation Council1. Anish Bhimani, Chief Information Risk Officer, JP Morgan Chase2. Roland Cloutier, Vice President, Chief Security Officer, EMC Corporation3. Dave Cullinane, Vice President and Chief Information Security Officer, eBay4. Professor Paul Dorey, Founder and Director, CSO Confidential and Former Chief Information Security Officer, BP5. Renee Guttmann, Vice President, Information Security and Privacy Officer, Time Warner Inc.6. David Kent, Vice President, Global Risk and Business Resources, Genzyme7. Dr. Claudia Natanson, Chief Information Security Officer, Diageo8. Vishal Salvi, Chief Information Security Officer, HDFC Bank Limited9. Craig Shumard, Chief Information Security Officer, Cigna Corporation10. Denise Wood, Chief Information Security Officer, FedExAnd special guest contributor Michael Capellas, Chief Executive Officer, First Data CorporationAn industry initiative sponsored by RSA, the Security Division of EMC

2. The Security for Business Innovation Initiative Business innovation has reached the top of the agenda at most enterprises, as the C-suite strives to harness the power of globalization and technology to create new value and efficiencies. Business Innovation DefinedEnterprise strategies to enter new markets; launch new products Yet there is still a missing link. Though business innovation is powered by information; protecting information is typically not considered or services; create new business models; establish new channels strategic; even as enterprises face mounting regulatory pressures andor partnerships; or achieve operational transformation. escalating threats. In fact, information security is often an afterthought, tacked on at the end of a project or even worse not addressed at all. But without the right security strategy, business innovation could easily be stifled or the organization could be put at great risk. At RSA, we believe that if security teams are true partners in the business innovation process, they can help their organizations achieve unprecedented results. The time is ripe for a new approach; security Table of Contents must graduate from a technical specialty to a business strategy. WhileIntroduction1 most security teams have recognized the need to better align security with business, many still struggle to translate this understanding intoThe Perspective of a CEO who Gets It3 concrete plans of action. They know where they need to go, but are State of Affairs: How CEOs View Information Security4 unsure how to get there. This is why RSA is working with some of theTop Ten Ways to Make the Case to Your CEO 6 top security leaders in the world to drive an industry conversation to identify a way forward.How Does the New Economy Change Making the Case?10Top Ten Ways to Alienate Your CEO 12 RSA has convened a group of highly successful security executives from Global 1000 enterprises in a variety of industries which we callTop Ten Ways CEOs Can Put their Organizations at Risk 15 the Security for Business Innovation Council. We are conducting aConclusion27 series of in-depth interviews with the Council, publishing their ideasAppendix: Biographies 22 in a series of reports and sponsoring independent research that explores this topic. RSA invites you to join the conversation. Go to www.rsa.com/securityforinnovation/ to view the reports or access the research. Provide comments on the reports and contribute your own ideas. Together we can accelerate this critical industry transformation. 3. Security for Business InnovationReport SeriesThe Time is Now: MakingInformation Security Strategic toBusiness InnovationRecommendations from Global 1000ExecutivesIntroductionMastering the Risk/Reward Equation:Optimizing Information Risks While Will 2010 be the year that information securityaligning with the highest priorities of theirMaximiz ing Business Innovation comes of age? There are signs that information organizations. To do that they must effectivelyRewards security, previously viewed as a necessary evilconvince the Chief Executive Officer (CEO) thatRecommendations from Global 1000 or inconvenient afterthought of corporatesecurity must be a core component of businessExecutives strategy, is becoming core to organizational strategy. After all, its the CEO who owns the success. And this central role is recognized not business strategy; he/she sets the agenda and Driving Fast and Forward: Managing only within the ranks of information securityestablishes the objectives for the entire Information Security for Strategic but also by senior executives across globalcorporation. Therefore for information security Advantage in a Tough Economy organizations. In the recent Global State ofto be strategic, the CEO must see the linkRecommendations from Global 1000 Information Security 2010 study, 52 percent ofbetween his/her objectives and the protection Executives C-levels reported that the increased riskof information assets. environment created by the economicCharting the Path: Enabling theGiven current economic conditions, a key focusHyper-Extended Enterprise in the downturn has elevated the role andof most CEO agendas is the drive towards cost Face of Unprecedented Risk importance of the security function. 1reductions and operational efficiencies toRecommendations from Global 1000 The elevation of information securitystrengthen the overall balance sheet andExecutives represents a critical opportunity andprofitability. Corporate leaders today are responsibility for information securitybeginning to see encouraging trends towardwww.rsa.com/securityforinnovation leadership. Now more than ever, security recovery though. The NYSE Euronext 2010 CEO professionals must demonstrate expertise inReport indicates that nearly half of CEOs think1 4. the U.S. economy will have fully recovered byfor taking on this crucial role is that the Understand that for the CEO, everythingthe end of 2010, with the global economy security leader must have the confidence of the is about balance. A CISO has torecovering by the end of 2011. However, theCEO. demonstrate a sense of balance; the abilityvast majority of CEOs believe it will be a weak This fifth report in the Security for Business to weigh risk and return. Then the companyand patchy recovery, and their intention is to Innovation series explores the link betweenwill be putting the appropriate resourcescontinue to run tight ships even as the CEO priorities and information securityeconomy improves.2 towards security. Its a trade-off between strategy, examining how a divide between anThe reality is that there is a strong link organizations CEO and its security officer can risk and return.between current CEO priorities and detrimentally impact its risk profile and Michael D. Capellasinformation security strategy. Many of the ultimate business success.Chairman & Chief Executive Officermeasures organizations are adopting to First Data This report takes a very practical approach. Itmanage cost and efficiency are both innovative provides ten important techniques for gainingand risky. Chief among them is accelerated and maintaining the support of the CEO (andadoption of new technologies and global other C-suite executives and the Board) for abusiness models. Putting customer data, strategic information security effort. It thenEvery day CEOs must assume the role ofintellectual property, or proprietary corporate analyzes the flip-side; taking a candid look at risk-takers. This is one component thatinformation into new IT environments; and potential missteps and mistakes, and offers ten defines a good CEO. What risks should hesharing information with more and more third- tips for what not to do when dealing with yourparties spread out across the globe createstake on behalf of the company in order to CEO. The last section is intended as food forrisks. Organizations also face an increasingly grow it? The CISO must be able to thought for the CEOs themselves; showing howrisky socio-economic environment, as insider their lack of support for strategic information contribute to the wider risk discussion andthreats and external attackers are more security could put their companies at risk. help the company take the right risks.motivated and capable of targeting enterpriseinformation assets.The guidance in this report was derived from Claudia Natanson conversations with a group of top security Chief Information Security OfficerThe aggressive business goals and heightened Diageo leaders from the Global 1000. As a specialrisk environment facing the enterprise today feature, the report includes contributions fromputs the information security officer in a crucial a Fortune 500 CEO, who as the leader of thepostion: making sure the company takes the largest payment card processing company inright risks in the right ways. The right the world, is no stranger to risk. The stakes areinformation security strategy can not only helpOne of the main things in maintaining high, information security is taking centermeet cost-savings and efficiency goals in thecredibility with your CEO is you have to be stage and your performance could mean thenear-term, but it can also help position the difference between a future where heavily steeped in reality.company for recovery and strong business information security takes a leading role or isDenise Woodperformance in the long term. The prerequisite relegated to a bit part within the organization. Chief Information Security OfficerFedEx2 5. The Perspective of a CEO who Gets It Michael Capellas is a Chief Executive Officer You have to be able to understand risk analysis as the premise. Thats where you start. This who gets it. A 30-year veteran of the ITis about risk. The language of business is about risk. And if you sit in a CISO position and industry, Michael is a recognized global you cant meaningfully talk about measures of risk and layers of risk, youre probably not thought leader in the technology space, with going to be successful. You can spend all your money having the latest virus protection put significant expertise in information security. He has long understood the value of protecting on your PCs and miss the fact that youve got massive enterprise risk because of information, not only as a strategic imperative vulnerabilities to the power infrastructure or legal liabilities of doing business in certain in corporate environments, but also for the countries. United States as a nation. Michael has servedMichael D. Capellas on two separate Presidential Advisory CouncilsChairman & Chief Executive Officer on National Security.First Data As CEO of First Data, Michael currently leads a company where information security is central to the business. As the global technology the New York Stock Exchange. As CEO of MCI,information security provided invaluable leader in information commerce, First Data Michael worked to develop resilientinsight for the group on how to focus the C- helps businesses, such as merchants and telecommunications infrastructures thatsuite on the value of information security. financial institutions, safely and efficiently supported the federal government, the process customer transactions and understand This report brings his unique perspective automobile industry and financial services. He the information related to those transactions. together with the views of some of the most also established a focused security practice The company securely processes transactionssuccessful security executives in the world; and within MCI to serve the enterprise market. for millions of merchant locations and offers tangible recommendations for security thousands of card issuers in 36 countries.Earlier this year, Michael addressed over 100professionals at this time of unprecedented security and privacy executives at the RSA opportunity and challenge. Michael has also had the experience of leading Conference Executive Security Action Forum companies where information security was not (ESAF), a gathering that hosts the largest a core competency, yet he made it a key aspect global enterprises and government agencies in of the organizational strategy. For example, as the world. Michaels talk at the event was the the CEO of Compaq, Michael worked to single most highly rated session ever at an develop a secure technological infrastructure ESAF event. His unique perspective as a CEO for numerous governmental agencies as well as with a deep understanding and commitment to 3 6. State of Affairs: How CEOs View Information SecurityConvincing a CEO that information security rated developing a data protection strategyshould be strategic starts by knowing wherefor the organization as important or veryhe/she currently stands. The CEOs view will important.3 However the same survey showsdepend on the vertical industry, regulatorythat although they see it as important, CEOsregime and intellectual property does themay not have a realistic picture of informationcompany have market, legal or competitivesecurity yet. 77 percent of CEOs surveyed viewreasons to protect information? It will also the greatest risk to data as lost/stolen laptopsdepend on third-party relationships and global or incorrect disposal of storage media.4 This isreach how much and with whom does thein contrast to a recent SANS Institute report oncompany exchange information?the top cyber security risks. The study found that attacks on Web applications and targetedOverall, CEOs tend to think more about phishing attacks currently carry the greatestinformation security issues today than they did potential for damage.5in the past simply because most enterprisestoday rely heavily on IT to support business Not only do CEOs seem to misunderstand theoperations. And most CEOs use the web andrisks, they tend to underestimate themmobile communications themselves in thecompared to other executives. For instance, thecourse of their daily work and lives. By now,majority of CEOs surveyed (68 percent) believemany have also had direct or indirecthackers try to access corporate data rarely, orexperience with a security incident or identityat most once a week. While those in othertheft. The awareness level of CEOs has alsoexecutive positions believe that theirrisen because of increased regulation companys data is under attack on a daily orgovernment and industry mandates for dataeven hourly basis (53 percent).6protection and the high-profile media coverage Of course CEOs cannot be expected to beof massive data breaches, especially in the information security experts; thats why theybusiness press. Information security is now have security officers. It is up to thesquarely on the CEOs radar screen. information security officer to help the CEOMost CEOs today will acknowledge how build a realistic understanding of the risks. Butimportant it is to have an information securitythe CEO can and should be expected to providestrategy. In a recent survey of CEOs, 87 percent authoritative support for information security.4 7. So how supportive are CEOs today? There are So it is clear that CEOs are increasingly awareencouraging signs. One sign is that moreof information security issues; and they havecompanies are beginning to addressstarted to establish formalized supportinformation security governance by putting in structures. At this point its up to informationplace more formalized enterprise risk programssecurity officers to better educate CEOs aboutwhich include information risk management.the real risk picture and build on theRecent research indicates that 35 percent ofmomentum to position information security ascompanies surveyed conduct enterprise riska strategic business endeavor.assessments twice per year; and 33 percentcontinuously prioritize information assetsaccording to their risk level.7 In addition,Board-level and company-wide enterprise riskcouncils that incorporate information risks inThere is no question that the issue of cyber security has become highly escalated inthe overall risk management effort arethe last two years. The awareness is coming from several places. Its being driven byemerging in many industries.the head of audit departments of large public firms. Its being played out at theAnother positive sign is the increase in theBoard level. Its risen with the extent of globalization and the rapid adoption of thefrequency of reporting to the CEO, other C- internet and technology. And there have been some pretty well known cases whichlevel executives and the Board on informationhave hit the press. So there are lots of reasons that it is top-of-mind now withsecurity. When information security feeds intovirtually every CEO.ongoing business reporting, it is moreintegrated with the business strategy and more Michael D. Capellaslikely to get the right level of funding. In the Chairman & Chief Executive Officerfinancial sector, which tends to be on the First Dataleading edge, nearly half of companies nowhave regular reporting to the CEO oninformation security on a monthly or quarterlybasis (39 percent); or once or twice per year (10percent).85 8. Top Ten Ways to Make the Case to Your CEOBeing a great Chief Information Security Here are ten key techniques to keep in mind as 2. Establish security champions within theOfficer requires interpersonal skills. The you strive to convince your CEO and other CEOs circle of trustCISO cannot just be a technical person. executive leaders that information security hasTo engage the CEO, youll need to win overYou have to have the skills to be able to an important role to play in the businessthose who influence and interact with him/her relate to people right across the strategy. Its not a comprehensive plan; but a on a regular basis the Board and C-levelorganization and have enough business list of some of the most important things to direct reports. In some organizations, the consider.Board may be savvier regarding informationsavvy to communicate to senior people in asecurity than the CEO. Board members tend toway theyll understand. 1. Earn a strategic position focus on big picture risk concerns and fiduciary Michael D. Capellas Dont expect the CEO to just hand you aresponsibilities, and they bring perspectivesChairman & Chief Executive Officer strategic position, you have to earn it. from their broader experience in other First Data Demonstrate that you have an understanding companies. Impress them with your strategic of the business and youll build credibility.vision for managing information risks and they Organizational management skills are alsowill influence the CEO. Typically it will be theData drives the quantification of risk and essential. Information security is never going toC-levels and/or business unit executives whothere is analysis and logic to be applied. be completely centralized because it sits across will need to be convinced to fund information Ideally you should be able to say, Heres the organization; CISOs need to be able to security initiatives. Be cognizant that they havewhat could happen a security lapse here work in a matrix environment and acrossto reconcile their responsibility to protect organizational lines. Also, recognize that information with their goals of managingis the cause, here are the operational formality matters in this job. If youre reporting budgets and reducing costs. Securing fundingeffects, heres a quantification of what it to the C-levels or the Board dont just give at the operational level requires proving thatwould cost us, and heres some alternatives verbal updates make presentations in a your program makes the best possible tradeoffsthat we have for preventing it. formalized, standardized and consistent way. between security and cost. If you build strongallies with the C-levels, they will represent youMichael D. Capellas Chairman & Chief Executive Officer 6at the CEOs table. First Data 9. 3. Make security relevantFor example, a recent study by the Aberdeen 5. Dispel media hypeKnow the CEOs strategic agenda and how that Group revealed top performing companies thatThe CEO, other C-level executives and themaps to specific business goals then have adopted cloud computing have reduced ITBoard get much of their information aboutcontribute to realizing them. For example, if acosts 18 percent and data center powersecurity risks through the media. AlthoughCEO is focused on costs, each business area will consumption by 16 percent. The study also media coverage helps raise awareness ofhave cost-reducing goals. In marketing, they showed that in order to get the benefits of information security, it is often a distortedcould be aiming to reach new markets morecloud computing, top companies realized theypicture. Leadership can end up focusing on thecost-effectively by partnering with social had to establish a governance model aroundwrong things, such as cyber terrorism or laptopnetworking sites; security could help protectServices Oriented Architectures and cloud-theft which may not represent the highestthe customer data collected so that thebased service delivery. Best practices included a priority risks. The CISOs role is to break anyinvestment is not jeopardized and customer formal cloud evaluation process for monitoringmisconceptions, actively educate the CEO, C-trust is maintained. HR might be looking tocloud applications as well as formal training for levels and the Board and help them make moredecrease the costs of on-boarding and off- the cloud team.9informed risk decisions.boarding contract workers; with optimized In other words, the report showed that cloudFor example, every time there is a major newsidentity management, security could help computing enabled by an information riskstory on information security, one that youachieve this. In accounting, they may be management program can achieve measurable know will get their wheels turning and asking,working on reducing compliance costs; security and meaningful cost-savings for the company.What ifs?, provide an email before they evencould help drive down the hours spent on start asking you these questions. Give a briefmanaging access to data and on conductingAnother way information risk management can analysis and relate it to your own companysaudits. Part of the customer strategy may be toenable cost savings is through better vendormake service more efficient; security could help management. Companies are engaging inreduce phone service by enabling more data toglobal sourcing, business partnerships andWhether its to a C-level or a Boardbe safely accessible on-line. It will be anstrategic vendor relationships to bring down member, talk about alignment to theeducation process to help the CEO and othercosts. In forming these relationships, companiesexecutives understand how security is relevant strategies of the company global must assess and mitigate the risk posed byto their specific objectives.third parties having access to their data orexpansion and global collaboration and network. Due diligence efforts can be how you enable that to happen; how4. Show him (her) the moneychallenging and costly. A study by theprotecting resources and trade secrets is aThe business exists to generate a profit and Information Risk Executive Council (IREC) found competitive advantage. Talk about being aultimately, this is what the CEO wants to see. that companies with leading information risk trusted partner to your customers and howTo gain support for your information securityprograms can reduce their third-party riskprogram, be able to calculate how it improvesmanagement budget by up to 64 percent.10your security program becomes a reason forthe bottom line by enabling the company to people to do business with you.make or save money.Roland CloutierVice President, Chief Security OfficerEMC Corporation 7 10. situation. If information security is represented Also, detail a framework for evaluating riskon an Enterprise Risk Management Committee, and making risk decisions. Conversations aboutthis is also a good vehicle for effectively risk invariably come down to who has thedisseminating more accurate information about authority to make what level of risk decision.your companys risk profile to executiveHaving a formalized risk assumption model forleaders.information risks brings clarity andtransparency to the process and delineates6. Make it real where and with whom risk decisionTo help the CEO and executive leaders responsibilities lie.understand the risk, make it real. As much aspossible, quantify the risks. Dont just give 7. Develop good metricsvague explanations of high, medium or low Good metrics accurately measure the value ofrisk events. Instead describe detailed andinformation security investments; and theyrealistic scenarios for your company, withshow how the security program manages risksactual numbers for probabilities, impact andto acceptable levels to meet business goals.financial losses in the context of your Communicate the trade-offs betweenorganizations market position, vertical industry investment and risk by using visual diagramsand regulatory regime. Admittedly, sincethat clearly depict the effects (benefits vs.information security is still in its early days,costs) of various investment scenarios. Forcoming up with numbers is not easy, theres noexample, show how risk decreases if thehandy actuarial table. But numbers are what information security program contains certainwill make it real for business leaders. elements and how it increases if the companyforgoes those elements for now.Research incidents that have occurred at otherorganizations but make sure to present that Get data about how your program compares todata in the context of your company. Forother similar organizations. Externalexample, estimate how much it could cost your comparisons and benchmarking establishcompany if you had a data breach exposing credibility for the security program and providecard holder data protected under PCI. Orevidence of commercially reasonableexplain what a Denial-of-Service attack could practices. To get this data, security officersmean, and how much money your company need to actively participate in peer groups andcould lose if your e-commerce site were downforums for information sharing.for a day. Work in partnership with others suchas the VP Marketing and General Counsel to8. Set up a clear organizational structurederive these numbers and when you present The security organization should have anthem, have the partners there backing you up. absolutely crystal clear organizational8 11. structure. Whether its centralized, de- 9. Have a plan10. Know the person andcentralized, based on lines of business, orBuild and document the information security speak to the personfunctional, etc., it must be clearly articulated,strategy including a detailed road map, clearly For dealing with the CEO and other C-levels,socialized and institutionalized across thedefined goals and manageable milestones.its important to get to know as much as youwhole enterprise. The biggest weakness for Measure and evaluate your progress andcan about the individual. Learn their personalsecurity practitioners is organizational communicate this to the CEO and other styles and preferences and tailor yourmanagement. In other functional areas, the executive leaders. Divide the strategy into the communication method accordingly. Knowpolicies, hierarchies and roles are well-defined technical and business strategies; these may be what level of detail they expect. Know howand well-understood by those outside the inextricably linked, but have two very distinct they make decisions and what they payfunctional areas. For example, people getaudiences. Line managers are not going to beattention to. Find someone you trust who haswhat departments like accounting and finance interested in the technical aspects of theregular interactions with the CEO (or otherdo because their function has been strategy, but they will be interested in theleaders) and ask for advice about the bestinstitutionalized. This is how it should be forbusiness aspects. approach. Do a mini tabletop exercise: Wouldsecurity as well. This will help security developthis work? If I presented this to the CEO in thisbetter working relationships throughout theway, how would he react?organization. The CISOs job is about managing riskUnderstand the rhythm of the way yourIts an amazing process. Once you and coming up with the best possible wayCEO is communicated to by other C-levelestablish your value with a business unit, of doing it given a particular business officers. Get familiar with how your CEOtheyll tell others that, Security did this context. In the current climate, the contextis briefed. There is a tone, a rhythm, areally cool thing, they came up with a is cost minimization. In another business format expectation.strategy which took the money I was climate, the context might be long-termalready spending and got me twice as muchDenise Wood business flexibility.for it. You should have a conversation withChief Information Security Officerthem. And then others will come knockingFedEx Professor Paul Doreyon your door. This is the kind of thing thatFounder and Director, CSO Confidential; and Former Chief Information Security Officer, BPcomes up in the CEOs staff meeting.Dave CullinaneChief Information Security Officerand Vice President,eBay 9 12. How Does the New Economy Change Making the Case? Some may balk at the idea of trying tothe security budget, at the same time, risks are convince the CEO that security should be more increasing rapidly potentially outpacing strategic in the middle of the worst economic securitys ability to keep up. The security team conditions in decades. How can you have a is also expected to take on more and more strategic security effort if you cant even get responsibilities as the funding remains basically funding? But it turns out that most the same. information security programs are still getting Ultimately the approach to making the case for funded. In a recent global security survey, 63 strategic information security doesnt change in percent of respondents say spending on the current economic conditions. It is still risk- security function will increase or stay the same based and business-driven. What changes is the in the next 12 months in spite of the economic focus on costs. This means looking at what downturn. Of those facing budget cuts, most must be done rather than what should be done will be reducing spending by less than ten and prioritizing based on the risks that are percent or deferring initiatives by less than six most relevant to the organizations strategic months.11 imperatives. The security officer needs to But that doesnt mean the going is easy. In proactively determine what pieces of the fact, security programs are under intense information security program could be pressure to perform. Although mostdeferred, making it completely clear how organizations are not cutting too deeply into deferrals change the risk picture. Get the data. There is an enormous amount of relevant data on broad macro trends and the internal company. Get the data to be able to say, Here are the three or four things we must do because of enterprise risk; here are the three or four things that are on the edge that we will want to implement over time; and here are three or four things that we can have compensating controls for and handle with a little more training. Michael D. Capellas Chairman & Chief Executive Officer First Data10 13. As economic conditions change, the CEO andthrough the entire program item by item andother leaders may change their appetite for asking hard questions like, Are we doing thisrisk. If they decide cost savings trump riskjust because its been past practice or is it reallyreduction, its the CISOs job to make sure thatadding value at this point? This demonstratesthey understand exactly what level of risk they an alignment with the CEOs efficiency goals.will be accepting as a trade-off, and get themSelf-funding projects out of productivity gainsto agree to accept that increase. Ultimately,is another way to build credibility with the CEOsecurity will always be adequately fundedand C-suite. If information security can get asbecause adequate means it matches the levelefficient as possible at basic operations, it freesof risk that the business deems acceptable.up monies for new investments for meetingEven if the security department is not directly increased threat levels. The current downturnfacing budget cuts, many security teams may present an excellent opportunity forrecognize that they need to share in thecleaning up security operations to make themburden of curtailment. They are scrutinizingmore efficient and scaled for future growth.their operations and looking for ways toachieve efficiencies. For example, goingYou know youre doing a good job as a Having less funding is not necessarily a Understand the reality, understand theCISO when you can raise your hand and bad thing because it forces us to getbusiness dynamics and adapt your strategy.say to your colleagues, I have some budget smarter about how we use that money. The For example, even if you have approval forthat I should surrender because you need it most important thing is to have as muchhiring people, you might choose not tomore, I think I can keep the risk to an impact on the organization as we can withbecause the rest of the organization isacceptable level. It may mean you just gavethe resources that we have. It challenges us being cautious. This will demonstrate thatyourself a harder job, but seeing the needs to bring more quality to our operation. you are trying to be agile. When things getof the business as a whole is expected of anClaudia Natanson better, you can start hiring again.executive leader.Chief Information Security Officer Vishal Salvi Diageo Chief Information Security Officer andProfessor Paul DoreySenior Vice President, HDFC Bank Founder and Director, CSO Confidential; andFormer Chief Information Security Officer, BP11 14. Top Ten Ways to Alienate Your CEO Information security is a relatively new 1. Waste their time 3. Use FUD function in organizations; for example, the role When you are reporting to the CEO (andFrequently resorting to messages of fear, of Chief Information Security Officer (CISO) possibly other C-level executives or the Board),uncertainty and doubt (FUD) is another good has only emerged in the last few years.dont waste their time by talking about details way to annoy the CEO and other C-levels. Yes, Research indicates that only 44 percent of that dont matter to them, for example theits important for them to be educated about companies have established the role of CISO; number of viruses detected or the number of threat levels, data breaches and regulations, and thats after a significant jump from lastfirewall hits. This is your 15 minutes of fame but if your objective is to scare them into year when only 29 percent of companies had a dont spend it on minutiae. If youve gainedspending on security, youre not going to get CISO.12access to the CEO, choose the issues you put in very far. Dont overuse headlines of cyberfront of him/her and carefully prioritize aroundthreats and data breaches in your Given the relative newness of the role, it cansituations when there is a high impact risk and presentations to the CEO, especially if you cant be expected that as some information securityyou need the CEO to make a decision. Show upback it up with real data on how these media professionals try to establish themselves astoo often with minor problems and youll just reports specifically relate to your companys strategic players, they are going to makebe noise. situation. And dont show slides with photos of mistakes. Along the way, there may not beprisoners in orange jump suits entitled, Could many opportunities to make a good impression2. Waste moneythis be you? on the CEO so its important to know whatMaking unnecessary investments is a good way not to do.to rile your CEO. Some CISOs have a gotta The following list provides ten surefire ways to have it approach to technology and simply go alienate your CEO or other leaders. If you dodown a list, buying everything every securityI think the biggest alienation comes from these things, not only will you potentially blow department should have rather than ensuring your chance to assume the role of strategicthat every investment ties back to business risk. scare tactics. From the perspective that advisor to the organization, you might evenIf this is your approach, the CEO wont considersecurity is the single and sole item that I find yourself looking for a new job. This list you a good steward of the companys money.should worry about. Yes, its important, it was compiled from Council member Other ways to waste money include running anneeds to have its place high in the observations over the years and from our guest inefficient operation rife with redundancies ororganization, it needs to have more CEO who has had experience with green CISOsimplementing excessive security proceduresthat slow everyone down and reduceawareness, but at the end of the day scare who stumble along the way to figuring it out.productivity. tactics never win. Data and logic are alwaysthe more powerful tools.Michael D. CapellasChairman & Chief Executive OfficerFirst Data12 15. 4. Talk technical propose a solution, make sure its the right Your mitigation strategies, yourIf you want to make your CEOs eyes glaze one. Dont suggest something that doesnt approaches and the way you bring yourover, talk about how the security team isolated match the organizational culture, current ideas to the CEO, the way youmalware samples or selected an encryption business objectives, or economic climate, or isthe wrong scaled approach like communicate, have to reflect the CEOsalgorithm and key size. Many CISOs havetechnical backgrounds and specialized recommending a massive application re-writevision for the company. It has to be in thatexpertise, which can be a double-edged sword. just when the company is laying off developers.context. Otherwise youre going to be outYou might know the intricacies of cyber attacks It has to be reasonable and actionable.of bounds with your solution.and defensive technologies, but fall down7. Expect special treatmentDavid Kentwhen it comes to communicating risks in a wayWant to get on your CEOs nerves? Portray Vice President, Global Risk and Businessthe business understands. Some CISOs have aResources, Genzymetendency to speak only in technical terms thatsecurity as more important than otherare inappropriate for business audiences. functions and therefore deserving of extraSecurity is a business issue, discuss it as one.attention. Or think that security shouldautomatically be exempt when budget cuts are5. Say I told you sobeing implemented across the whole company.Dont discuss things in the old FUDWant a fast track to the exit? When an incident Some information security professionals believe manner fear, uncertainty and doubt. Ifoccurs, go to the CEOs office screaming, I told if risks are increasing, so should their budget. you walk into a meeting waving the latestyou this would happen! It may be true that But its not necessarily a direct line from morerisk to more spending. Consider the fact thatarticle of some huge breach saying, Look,you tried and failed to convince the CEOand/or others about a potential risk. But if an the business units may face increasing this is going to happen to us! theirincident does occur, you have to accept somecompetitive threats, but that doesnt mean response will be, Yeah, give me a break, weresponsibility for the security failure. A better their budgets automatically increase in order to see that every day! And arent you supposedattitude is, There was a decision to accept thefend off competitors. to be doing something to make sure thatrisk, unfortunately an incident occurred, lets8. Operate in a vacuum doesnt happen to us?solve the problem.A good way to become completely irrelevant isCraig Shumard6. Bring up a problem but have no solutionto have goals that are not aligned with those Chief Information Security Officer (or the wrong solution)of leadership and the rest of the organization.Cigna CorporationDont raise a problem with the CEO if you For example, continuing to focus on fortifyingdont have some possible ideas for solving it.network perimeter protection while all theCome to the table with alternatives and business units are busy trying to save costs bysolutions not problems. When you do moving data processing to service providers. 13 16. 9. Create frustrating policiesOkay, this is how security can help make this A really easy way to annoy the CEO andhappen. Another report in the series, everyone else is to issue frustrating policies. Mastering the Risk/Reward Equation: Like decree that no one can have access to theOptimizing Information Risks to Maximize enterprise network except employees;Business provides practical advice on how to meanwhile the business depends on partner find the right balance between risk and access to be competitive. Or have a blanket reward. policy that no one is allowed network access from home; yet employees need flexible work hours. Or declare that no one can have a cell phone with a camera in it, when it is nearly If an incident happens, dont take the impossible to buy a cell phone without a camera and everybody will have to check their position of, I told you and you didnt listen cell phones at the security desk. Policies that to me. It just means you were not able to are well-intended can sometimes be completely sell the solution and hence you allowed that impractical. You have to be realistic. risk to be accepted. You need to be more 10. Say noaccountable for that, because its your job This has been a strong, recurring theme in theto make sure people listen to you. Security for Business Innovation report series.Vishal Salvi Previously, information security officers have Chief Information Security Officer often been seen as the ones who say, No, you and Senior Vice President, HDFC Bank cant do that. But if you want to be a strategic player, you cant say no. Instead consider how you can help the business reach their objectives safely. CEOs dont want to hear about projects. One of the previous reports in the series They want to hear about transformational entitled, The Time is Now: Making programs how are you going to get the Information Security Strategic to Business Innovation builds on this premise and offers a organization to where it needs to be? And complete set of recommendations for how towhat are the metrics youll use so you know move from being the naysayer to saying, youre making improvements? Thats what they care about.Denise WoodChief Information Security OfficerFedEx14 17. Ten Ways CEOs Can Put their Organizations at Risk The previous sections covered what the CISO (e.g. fraudulent ACH transfers), transferring example, the CEO may believe the information should and shouldnt do in order to convincemoney right out the door. CEOs and othersecurity problem is solved because the CISO the CEO that security must be more strategicleaders ignore risks to information at theirencrypted all of the laptops. Not seeing the for the benefit of the organization. But thecompanys peril.bigger picture leaves the company exposed to CEO also has some skin in this game. The CEOall kinds of other risks. needs to understand how his/her actions and 2. Set the wrong tone at the top attitudes will impact the effort to protect The CEO can put the organization at risk by 5. Think of it as just a compliance issue information at the company. To that end, this creating a culture of apathy when it comes to Regulations that call for data protection from list looks at some of the top ways that the protecting information. If the leaders dontSarbanes Oxley to the many state, national and CEO, other C-levels and the Board can put the consider it important, the rest of theinternational privacy laws have certainly company at risk when it comes to informationorganization wont either. Leadership needs tohelped CEOs and other leaders become aware security. set the right tone at the top. This means of information security. However if the C-level actively communicating the importance ofapproaches it as just a compliance issue, they 1. Ignore risks to informationinformation security, being visibly supportive of will not be addressing the most pressing risks. For whatever reason, the CEO and otherthe security mission, and establishing it as aOften a compliance focus causes a check list leaders may not consider risks to information responsibility of everyone in the organization. mentality, whereby its all about minimally all that relevant and may not spend much time meeting requirements rather than examining thinking about them. After all, there are plenty3. Get swept up in the media hype risks. Compliance is definitely an important of other risks to worry about; such asAs previously mentioned in this report, media driver for information risk management, but it competitive threats and financial risks. Buthype about cyber threats can steer the CEOis not the end goal. given the current socio-economic conditions and other executives in the wrong direction. If and the business climate, protectingthey get caught up in all of the hype, they will information has become a strategic imperative not be focused on the risks that are most that warrants executive attention.relevant to their organization, but rather on An important part of the CEOs role is to the risks that make the best headlines. ensure there is a sustainable baseline with An information breach could cause loss of intellectual property, a major hit to the 4. Think of it as just a technology problem on-going objectives. This cannot be a one- companys brand, lawsuits and regulatory Since information security often sits within the time, one-shot deal. It needs to be a issues. But the stakes are getting even higher. sustainable, continual evaluation and information technology department, it Companies are increasingly suffering direct continues to be seen by many as a technical assessment. financial losses as targeted attacks and tailored specialty. But its not just a technology malware now orchestrate illicit transactions Michael D. Capellas problem; its a risk management problem. ForChairman & Chief Executive OfficerFirst Data 15 18. 6. Dont set up a governance structure8. Dont recognize you own the risk 10. Live in a bubble With no governance structure, the securityIts the CEO, C-levels and the Board whoThe nature of our Western, post-industrial program will not have the power or the meansultimately own the risk, not the informationsociety is to put the princes of commerce to adequately manage the risks across the security officer. The CISOs job is to help the into a different level of interaction in many organization; nor will the effort be sustainable. risk owners make the best risk decisions. If theorganizations. If the CEO and other leaders are Ideally information risk management should be business leaders dont recognize they own the insulated from the grim realities at the front built into an overall enterprise risk program risk, they wont adequately consider the riskslines of the organization, they may put the and an Enterprise Risk Committee a cross- nor consciously determine the companys riskorganization at risk. Senior executives need to organizational and cross-functional teamappetite. be prepared to know the true risk picture and consisting of the most senior executives the actual capabilities of their companys should be set up. A governance structure9. Dont enforce the security policysafeguards and protections. should ensure risk decisions are based on a The CEO, C-levels and the Board not only own well-understood and defined methodology,the risk; ultimately they own the information which is well-communicated throughout the security policy. They should know, approve and organization. ensure enforcement of the policy. One way If the right governance structure is in that CEOs undermine security policy is by place, the CEO and Board dont have to 7. Assign information security too low in flaunting it themselves; such as getting thethe organization pay undue attention to security, as long as security controls taken off their computer If information security does not have the right because they are too much of an the committees responsible the Board level of authority, it will not be taken seriously. inconvenience. The CEO needs to lead by committee and/or executive committee This role cannot be relegated to a database example. Lack of leadership support for the and the CISO are doing their jobs. administrator who does security part-time. An security policy means the information securityVishal Salvi actual security leader needs to be appointedprogram cannot be effective and puts theChief Information Security Officer and such as a CISO or equivalent. Something asorganization at risk. Senior Vice President, HDFC Bank crucial to the business as protecting its brand, reputation and information assets should not be low on the totem pole. The CISO should report at least to the C-level and be on the Its prioritization and tone-setting. If its Enterprise Risk Committee or well-represented important to the CEO, its important to on that committee. the company. If he or she makes it a priority, then it becomes part of the DNA of the organization.Roland CloutierVice President, Chief Security OfficerEMC Corporation16 19. Conclusion In the past it may have seemed like an uphill climb just to get the executive leadership and business teams to recognize the importance of information security, but increasingly this is a given. This is a testament to the hard work that information security leaders have been doing. Now the campaign must shift from creating awareness of the need to actually implementing a strategic approach to information security. The CEO is your most important ally in this endeavor. He/she needs to lay the foundation on which you will build across the entire organization. It is absolutely key that you earn the confidence of the CEO; he/she must trust that you know what youre doing and have the companys best interests in mind. The benefits are clear. As enterprises navigate through a long and spotty economic recovery, a strategic, risk-based approach to information security will optimize risk-taking and maximize the rewards of business innovation.17 20. Appendix: BiographiesGuest Contributor Security for Business Innovation Council MembersMichael CapellasAnish Bhimani, CISSP,Roland Cloutier Dave Cullinane, CPP, CISSPChairman & Chief Executive OfficerChief Information Risk Officer Vice President, Chief Information Security OfficerFirst Data CorporationJPMorgan Chase Chief Security Officer, and Vice President, EMC Corporation eBayA 30-year veteran of the IT industry, Anish has global responsibility forRoland has functional and Dave has more than 30 years ofMichael became First Datas ensuring the security and resiliency operational responsibility forsecurity experience. Prior to joiningChairman and CEO in 2007. of JPMorgan Chases IT EMCs information, risk, crisis eBay, Dave was the CISO forPreviously, Michael was CEO ofinfrastructure and supports themanagement and investigativeWashington Mutual and heldCompaq Computer Corporation and firms Corporate Risk Management security operations worldwide.leadership positions in security atPresident of HP; and President andprogram. Previously, he held seniorPreviously, he held executive nCipher, Sun Life and DigitalCEO of MCI, where he oversaw theroles at Booz Allen Hamilton and positions with several consulting Equipment Corporation.successful rebuilding of theGlobal Integrity Corporation and and managed security services firms,company. Michael began his career Predictive Systems. Anish wasspecializing in critical infrastructure Dave is involved with many industrywith Schlumberger Limited and has selected Information Security protection. He is experienced in lawassociations including as currentalso held senior management Executive of the Year for 2008 by enforcement, having served in the Past International President of ISSA.positions at Oracle and SAP the Executive Alliance and named toGulf War and working with the He has numerous awards includingAmericas. Michael serves on the Bank Technology News Top DoD. Roland is a member of theSC Magazines Global Award as CSOboard of directors of Cisco Systems Innovators of 2008 list. He High Tech Crime Investigationsof the Year for 2005 and CSOand holds a bachelors degree fromauthored Internet Security forAssociation, the State Department Magazines 2006 Compass Award asKent State University.Business and is a graduate of Partnership for Criticala Visionary Leader of the SecurityBrown and Carnegie-MellonInfrastructure Security and the FBIs Profession.Universities.Infraguard Program. 18 21. Security for Business Innovation Council MembersProfessor Paul Dorey Renee Guttmann David Kent Dr. Claudia NatansonFounder and Director, CSO Confidential Vice President, Information Security Vice President, Global RiskChief Information Security Officer,and Former Chief Information Security Officer, & Privacy Officer, and Business Resources,DiageoBP Time Warner Inc. GenzymePaul is engaged in consultancy,Renee is responsible for David is responsible for the designClaudia sets the strategy, policy andtraining and research to helpestablishing an information risk-and management of Genzymesprocesses for information securityvendors, end-user companies andmanagement program thatbusiness-aligned global security across Diageos global andgovernments in developing theiradvances Time Warners businessprogram, which provides Physical,divergent markets. Previously, shesecurity strategies. Before founding strategies for data protection. SheInformation, IT and Product Security was Head of Secure Business ServiceCSO Confidential, Paul was has been an information security along with Business Continuity and at British Telecom, where sheresponsible for IT Security andpractitioner since 1996. Previously, Crisis Management. Previously, hefounded the UKs first commercialInformation and Recordsshe led the Information Security was with Bolt Beranek andglobally accredited ComputerManagement at BP. Previously, he Team at Time Inc., was a securityNewman Inc. David has 25 years ofEmergency Response Team. Claudiaran security and risk management analyst for Gartner and worked inexperience aligning security withis Chair of the Corporate Executiveat Morgan Grenfell and Barclaysinformation security at Capital Onebusiness goals. He received CSOProgramme of the World Forum ofBank. Paul was a founder of theand Glaxo Wellcome. ReneeMagazines 2006 Compass AwardIncident Response and SecurityJericho Forum, is Chairman of thereceived the 2008 Compass Awardfor visionary leadership in theTeams. She holds an MSc. inInstitute of Information Securityfrom CSO Magazine and in 2007Security Field. David holds aComputer Science and a Ph.D. inProfessionals and a Visiting was named a Woman ofMasters degree in ManagementComputers and Education.Professor at Royal HollowayInfluence by the Executiveand a Bachelor of Science inCollege, University of London. Womens Forum. Criminal Justice. 19 22. Security for Business Innovation Council Members Vishal Salvi, CISMCraig Shumard Denise Wood Chief Information Security OfficerChief Information Security Officer, Chief Information Security Officer and Senior Vice President,Cigna Corporation and Corporate Vice President, HDFC Bank FedEx Corporation Vishal is responsible for driving the Craig is responsible for corporate- Denise is responsible for security Information Security strategy and wide information protection atand business continuity strategies, its implementation across HDFCCIGNA. He received the 2005 processes and technologies that Bank and its subsidiaries. Prior to Information Security Executive of secure FedEx as a trusted business HDFC he headed Global the Year Tri-State Award and underpartner. Since joining in 1984 she Operational Information Securityhis leadership CIGNA was ranked has held several Information for Standard Chartered Bank (SCB) first in IT Security in the 2006Technology officer positions where he also worked in IT ServiceInformation Week 500. A supporting key corporate initiatives, Delivery, Governance & Risk recognized thought leader, he has including development of Management. Previously, Vishalbeen featured in The Wall Streetfedex.com; and was the first Chief worked at Crompton Greaves, Journal and InformationWeek.Information Officer for FedEx Asia Development Credit Bank and Previously, Craig held many Pacific in 1995. Prior to FedEx, Global Trust Bank. He holds a positions at CIGNA includingDenise worked for Bell South, AT&T Bachelors of Engineering degree inAssistant VP of International and U.S. West. Denise was a Computers and a Masters inSystems and Year 2000 Audit recipient of Computerworlds Business Administration in FinanceDirector. He is a graduate of Premier 100 IT Leaders for 2007 from NMIMS University.Bethany College.award.20 23. References1. Global State of Information Security 2010, Price Waterhouse Coopers2. NYSE Euronext 2010 CEO Report3. Business Case for Data Protection, Study of CEOs and other C-levels, Ponemon Institute4. Business Case for Data Protection, Study of CEOs and other C-levels, Ponemon Institute5. Top Cyber Security Risks September 2009, SANS Institute6. Business Case for Data Protection, Study of CEOs and other C-levels, Ponemon Institute7. Global State of Information Security 2010, Price Waterhouse Coopers8. Global Security Survey 2009, Deloitte Touche Tomatsu9. Business Adoption of Cloud Computing, Aberdeen Group10. Manage the Costs and Risks of Third-Party Assessments, Information Risk Executive Council11. Global State of Information Security Survey 2010, Price Waterhouse Coopers12. Global State of Information Security 2010, Price Waterhouse Coopers21 24. RSA Security Inc. RSA Security Ireland Limited www.rsa.com2009 RSA Security Inc. All Rights Reserved.RSA, RSA Security and the RSA logo are either registered trademarks or trademarks of RSA Security Inc.in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All otherproducts and services mentioned are trademarks of their respective companies.CISO RPT 1209