At the recent ISSA International Conference in Dallas, SearchCompliance editor Ben Cole met with conference speakers to discuss the changing data threat landscape and how it is influencing the information security role. In this Q&A, SANS Institute CISO Frank Kim explains why communication and other people skills have become a big part of infosec professionals' job requirements.
As threats to company data have become a top business concern, how has it changed the role of the CISO and other infosec professionals?
Frank Kim: Traditionally, the CISO and the security leader has been, unfortunately, the one that has said 'no.' That was, perhaps, okay or acceptable enough in a time when the CISO was in charge of just IT security. But now the modern CISO is really responsible for a lot more, it's not just it security. It's regulatory compliance, legal concerns and it is also business concerns. How does the organization make money? How does the organization stay in business? We have to figure out how security can support that.
How important are communication skills for the modern CISO as the information security role becomes increasingly vital to successful business operations?
Kim: One of the biggest challenges that I see IT and technical security people have is being able to communicate with other non-technical and non-security folks. We in the industry as a whole suffer from what is called the 'curse of knowledge' -- when we are so knowledgeable about a particular area we have a hard time conveying, in simple terms and plain language, what those things actually mean. So communication skills are vital to the success of the modern CISO, because we can no longer talk in acronyms or technical capabilities. We've got to be able to translate those into business language and articulate what the corresponding cyber-risk is for the organization, not just the technology-specific aspects.
How do you train the younger CISO, or someone who wants to be a CISO or an infosec professional, on those communication skills? Is it difficult because it hasn't been as important to their job description as in the past?
Kim: When Heartbleed first came out some years ago, I knew that we would have to communicate that up to our CIO and CEO just because there was so much coverage about it. I asked the folks on the team to come up with a little bit of a write-up to describe how we're affected, what we're doing about it and what the corresponding risk that we still have is. They came back with a very technical communications, with acronyms like 'TLS' and 'Heartbeat extension' and so on.
The best way to learn is through experience. A lot of time that is the bitterest way to learn as well, but what really helped was showing them the original communication and then the revised communication in terms of the business language that was understood by our senior executives, showing them those particular examples of before and after. Just going through those experiences, I think, helps a lot in terms of improving those communication skills.
In addition to simplifying communications, what can CISOs and security professionals do to make information security relevant and understandable to the key stakeholders in the organization?
Kim: One thing on that security people can do to better help the organization is understand the business, understand how the organization makes money. If we overly invest in security controls and we cause too much friction on important business process, not only are we in security not going to succeed, but the organization is not going to succeed at the rate that it should. We have to think about the key new initiatives underpinned by tech -- whether it's mobile, cloud, internet of things -- we can't just say no to those things. We've got to figure out how to say yes. One lesson is to understand the business: What's important to the organization and figure out how we can support that, how we can actually say 'yes.'
What about the employees that are outside of the C-suite, that aren't executives -- how can CISOs and InfoSec professionals make them understand their role in data protection and ensure they're adequately trained to do that?
Kim: At SANS, we do a lot with security awareness. It's not just about the technical security awareness. What we found helps a lot is to bring it home for particular people. Not just what we need to do to secure our work computer, what we need to do to secure our work environment, but also how can you stay safe at home? How can you secure your wireless access at home? How do you keep your kids safe online? One thing we found that really helps is making it personal for those particular folks in the organization. By making it personal, that helps drive behavior change, perhaps first at home and then, by extension, at work, which then has a larger impact on the security culture that we in the organization would be trying to build.