So what bugs really bite at CISOs?
- Malware bugs
- Those Hacker buggers
- Their staff
- Or lack of staff
- State on state bugs
Actually, what really gets their goat is No.2, the staff who continually mess everything up for them, and then No. 3, the lack of trained, skilled staff who know how to stop the stupid people screwing up their systems.
How do I know this? Because once a year Eskenzi PR organises the IT security analyst & CISO forum where we get a room full of very outspoken CISOs who really don’t hold back when it comes to sharing their thoughts, bug-bears and irritations with their peers. A few select vendors are invited to hear from the community who buy their wares and we also fly in a dozen of the world’s top analysts who learn from these heated and honest exchanges.
Looking in from where I sit, I’d have thought they would be most worried about all the external threats tirelessly trying to get in their networks from every angle. However, these breaches and bugs are not what get these guys riled up; that’s par the course – something they expect and can almost prepare for. What they all share is a real frustration in that they can find the technology to prevent the breaches and bugs, but their users turn it all on its head with their stupidity – and it’s a problem that doesn’t seem to want to go away.
One comment I especially liked was “you can’t take the IdioT out of the user” – it’s what they do with the data that’s the biggest problem! Another observation came from an impressive female CISO who said that 100% of computer crime involves people. Obvious, but she’s right and it makes you think!
Okay – here’s the lesson: we must learn to respect the data we use on a daily basis. That means wherever it is and whenever we’re using it, we need to consider whether it is valuable and, if it falls into the wrong hands, what harm could it do to ourselves, the customer and of course the company?
However, one eminent venture capitalist who attended our event cited a recent Economist article that stated that stock prices are often unaffected by breaches, which starts to make me really confused – what’s it all about if you can suffer a major breach and then it doesn’t really affect the company – why bother? Maybe that’s why CISOs are so relaxed about external threats!
But it does cost money to sort out the mess that users make when they infect a system by opening an infected email or uploading infected data from a contaminated USB.
Apart from being hugely frustrated by their internal staff, which was definitely shared by all concerned, it seems that the second really big pain point is the lack of skilled people in IT security. There just isn’t the quality or quantity and, when you do find someone, they just don’t know how to communicate to get their message across. There was a common thread in the discussion, where they felt that when they did find the right people with the right skills they then couldn’t fit in with the culture of the company. The big question is how do you turn geeks into people’s people in order to get the funds for IT security from the board? One very smart CISO, (although saying that all the CISOs that attend our event are the smart ones that take a real effort in collaborating and pushing the boundaries) gets a digital agency to help with his messaging and visuals so that when he has that very small window of opportunity to talk to the board, they quickly get it!
They all believe that, in order to get things done in IT security, you’ve got to become a good communicator – which means investing in training to communicate well so you can be compelling and convincing. You need to talk to the board in the language they understand and that goes for the users themselves.
Another smart suggestion to get skilled people to push the IT security message was from a CISO who had employed the CEO’s PA to come and work for him, as she knew exactly the culture of the company and how to get around everyone to get them to listen. She knew politically who to push and who to ask to get things done. So employing internally and drawing talent from other parts of the company was definitely a method that had worked for this particular CISO.
Everyone thought that a framework of the right questions that the board should ask the CISOs was a good way to go, and badly needed.
I suppose the conclusion to the day was that no matter what happens out there, the CISO’s biggest concern is to keep their own houses in order; and that means training their staff to respect the data they deal with and getting them the right employees who know how to communicate to help them to do this.
Yvonne Eskenzi Yvonne@eskenzipr.com