communicating as a cso€¦ · 3/8/2012 · data center 93% mobile 72% of respondents are...

Bob Bragdon Publisher, CSO

Communicating as a CSO

August 3, 2012

©CSO Magazine, Confidential & Proprietary, August 2012

2

Stand Up!

Do this with everyone in your organization, from the Chairman to the receptionist


3

CSOs trying to communicate with senior management…

Some are good at it, and others still have some groundwork to do.


4 ©CSO Magazine, Confidential & Proprietary, August 2012

5

The Good


6

The Good

Business attire

Organized

Prepared

Focuses on “the balance”


Risk

Business Opty.

7

The Bad


8

The Bad

Excellent at solving technology problems, not so much on the strategy

or, excellent at the strategy, not so much on the execution

Not great at translating risk into business language

Viewed by management as “just another IT guy – the one who won’t let me use an Android”


9

and The Ugly


10

The Ugly


11

Nearly Half of Respondents See Their Organization as a “Front-Runner” in Information Security Strategy and Execution

Section 2 – A world of front runners: Respondents categorize their organization

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

FRONT-RUNNERS

STRATEGISTS

TACTICIANS FIREFIGHTERS

We have an effective strategy in place and

are proactive in executing the plan

We are better at “getting the strategy right” than we are at

executing the plan

We are better at “getting things done”

than we are at defining an effective strategy

We do not have an effective strategy in

place and are typically in a reactive mode

43%

27%

15% 14%

Source: 2012 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2011 ©CSO Magazine, Confidential & Proprietary, August 2012

12

More so than ever before, security executives are speaking from a

position of power

So why don’t they act like it?


13

Employing CSOs and CISOs is a big priority

85% of businesses, globally, employ a CSO, CISO or both • More than half of the remaining businesses cite hiring a CSO or

CISO a top priority over the next 12 months

Where does the CISO report? • CEO 34%

• Board of Directors 29%

• CIO 27%

• CFO 15%

• General Counsel 11%

Source: 2012 Global State of Information Security Survey, PricewaterhouseCoopers, CIO magazine, CSO magazine, September 2011


14

Risk Issues Touch Every Aspect of the Business

of enterprises have someone in the CSO/CISO role

Source: 2012 Global State of Information Security, PricewaterhouseCoopers, CIO, CSO, 2011

RISK ISSUES

Intellectual Property & Brand Protection Business/Competitive Intelligence

CMO

Investigations and Background Checks Ethics

HR

Regulatory Compliance Safety/OSHA

Legal

Physical Security Business Continuity

COO

Fraud Prevention Loss Prevention

CFO

Infosecurity

CIO

Privacy

CPO 85%


15

“ Security Top Consideration in Company Investments

“ “Spending on information security is growing faster than spending on general technology. Global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today.”

– Gartner

Cloud

Data Center 93%

Mobile 72%

of respondents are concerned about cloud security.

of respondents say that security/risk management is at least a somewhat important business driver.

of respondents plan to invest in security and data management software for mobile.

67%

Security is the

#1 response


16

Security Budgets Stable/Increasing

Q. Compared to the past 12 months, will your organization’s overall security budget increase, decrease or remain the same in the next 12 months?

Source: State of the CSO, CSO magazine, 2011, Harvey Ad Measurement Study, CSO Dec/Jan 2011 issue

$ $

$

$

$

$

$ $

$

$

39%

9%

52% $ $ $ $

Average Annual Security Budget: $205 million

However, the amount spent on security is even higher as security investments are often split with IT.

“Enterprises see more and more of their IT budget consumed with costs to secure their environment.”

– Chris Liebert, Curtis Price, Christian A. Christiansen, IDC Analysts (Worldwide and U.S. Security Services 2011–2015 Forecast and Analysis , May 2011)

$

$

$

$

$ $

$ $ $ $ $ $ $ $ $ $ $ $

Remain the same


17

The Elevated Role and Reach of the Security Executive is the New Reality

Q. In the past 12 months, has your organization's senior management placed more, less or the same value on risk management? Does your organization use a formal Enterprise Risk Management process or methodology that incorporates multiple types of risk?

Source: State of the CSO, CSO magazine, 2011; 2012 Global State of Information Security, PricewaterhouseCoopers, CIO, CSO

No Change 35%

Less Value 4%

More Value 61%

Focus on Managing Risk Not Just Security


18

The CFO’s view of the world: Cloud Computing

Source: The Business Value of Cloud Computing Survey, CFO Publishing LLC, June 2012 ©CSO Magazine, Confidential & Proprietary, August 2012

19

The good news: your CFO “gets” the risk

Source: The Business Value of Cloud Computing Survey, CFO Publishing LLC, June 2012 ©CSO Magazine, Confidential & Proprietary, August 2012

20

So where’s the love & respect?

It has to be earned…

over and over again


21

CBI2

Credibility Business value and benefit Impact (financial) Impact (operational)


22

CBI2

Credibility • Deliver on what you say • Don’t say it unless you mean it • Reserve FUD for those “special” occasions

Business value and benefit • Always communicate business value and benefit – chances are your sr.

mgmt. audience doesn’t get what you do • Always take a logical thought through to its conclusion

Impact (financial) • Explain the financials – upside & downside

Impact (operational) • Understand the operational impact of your actions


23

Understanding what security does

How often do you meet with the Board of Directors? • What do you discuss with them?

How often do you meet with your CEO? • What do you discuss with him/her?

How often do you meet with your CFO? What do you discuss with him/her?

How often do you meet with your VP Sales? What do you discuss with him/her?

Can your head of HR describe what you do? Can the receptionist describe what you do?


24

Sales 101

Pick your battles

Know your audience

Have your Elevator Pitch ready at all times

ABC


25

A little incentive


Carve your Rosetta Stone

Security/Risk

Need Budget

Incident response

Headcount

New regulation

Business

New business initiative

New competitor

Innovation (payback?)

New regulation


27

Final thoughts

Play the part – be a senior executive

Politic – nothing wrong with glad-handing and kissing babies

Speak the language: business not technology, risk not security

Power and success come from a position of strength…exactly where the profession is now


29

Questions

Bob Bragdon

[email protected]


communicating as a cso€¦ · 3/8/2012 · data center 93% mobile 72% of respondents are...

Documents