Essential Guide

Browse Sections
This content is part of the Essential Guide: An IT security strategy guide for CIOs
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Creating a 'culture of security' requires new look at business priorities

As data protection has become a top business priority, information security professionals have increasingly been tapped to provide corporate strategy input. Fully integrating security measures into business processes is not easy, however, and requires close communication between the top brass and data protection team, said Vantiv CSO Kim L. Jones.

In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed this new business focus on creating a "culture of security" with conference speakers and ISSA members. Jones discussed why modern data vulnerabilities is forcing business leaders to change the way they look at how security professionals can benefit not just information protection, but also the bottom line.

A big topic at this year's ISSA conference was creating 'a culture of security.' How can companies make sure they integrate security into existing business processes?

Kim L. Jones: I think one of the things security professionals don't do enough of is look at the 'people' part of the 'people, process and technology' triad. I look at culture as that intersection between people and organization. On one end, most of us grew up geek, so we don't do so well with people to begin with. We go into that process arm and say 'the process says we need to do it this way.' There's a lot of things security professionals do at various companies and organizations that is just the same stuff, different day.

[Some of] the challenges we continue to have are people see the convenience, people see a sense of cost savings, before they see there are dangers out there that they need to be aware of.

But what makes every company unique is its culture. The first part of that equation is understanding that the culture is … unique, and that impacts the way we implement things and what makes sense in the environment, versus coming in and saying 'This port is open, this practice is wrong; therefore it is unsecure.' Let's understand why. Let's understand what the pervading values of the culture are, and let's see then how we integrate security into that values framework. That's not something we do well as a profession, and it's something we need to get better at.

With technology changing so fast, how does technology such as the Internet of Things complicate the information security professional's role?

Jones: It's more a matter of the pace of change, in my opinion, than it is the changes themselves. I was just having a conversation at the CISO Forum before the conference began, talking about … cloud. I stopped and said, 'Wait a second, haven't we done this dance before?' We were concerned about new technologies and different security frameworks when we had to outsource, then offshore, then to deal with Wi-Fi, which is now ubiquitous. The cloud and Internet of Things are just different variants on any new issues that we have to factor in.

[Some of] the challenges we continue to have are people see the convenience, people see a sense of cost savings, before they see there are dangers out there that they need to be aware of. Those dangers don't necessarily need to drive the decision, but they need to be a part of that risk calculus. This gets back to if I understand the culture, if I understand the value drivers, how do I inject those in before those decisions are made? The problem we have is we are firefighting against today's problems, and given the pace of change that's coming, tomorrow's problems are here before we actually get a chance to embrace them and figure out how we become a part of that proactive discussion. For me, it's less about the Internet of Things or new technology, but about the pace of how quickly things are coming.

How has the information security professional's role changed as InfoSEC has become so important to business success?

Jones: I think looking at it over the course of decades, we've moved from the backroom technologist to the process people, to truly being a business partner and business professional. The soft skills, the critical thinking, the communication skills, the building of alliances, the building of coalitions inside/outside the company are just as important, if not more important, than being able to read a firewall log. To truly be that business partner, I need to understand how we make money, what's keeping us up at night, and how to knock down some of those barriers to allow us to generate revenue. That's a huge change, and what gets really interesting is the value given to our profession was not based on those skills that I just talked about. There's an evolution that information security professionals have to make, but there is also an evolution that the business has to make. I hear a lot about us speaking the language of the business, and I agree wholeheartedly that we have to. But I admit I don't see a lot of businesses meeting me one-tenth of the way across the bridge. Now when I say that, I don't need them to speak geek. I don't need you to look into the abyss that I look into every day, but I do need you to occasionally understand that I look here so you don't have to. When I raise my hand and say there is a challenge, we have to be willing to look at that together so that we can make the appropriate decision.

There is one change that I have seen that is decidedly negative, in my mind: As there has been external pressure, external news, external regulation, the business wants to point and say we need a CSO, and CISO (chief information security officer) here, and they put them there so they can say 'OK I can ignore this.' Instead, it should be 'Now that you're here, I need you to be my business partner as well. I need you to understand that while I absolutely don't want to be your first priority, I'm here to try to take this off your plate.'

But when I raise my hand and say 'boss I need you to sit down because we need to make some hard decisions on this,' I need you to give us the time, give us the attention and understand that what we're trying to do is to get you to meet us halfway. We get a lot of bad rap as a profession from people saying we don't speak the language, and a lot of it is deserved. But I also think that the business has to sit back and say look, 'You pay me to look at the ugly stuff that you don't want to, and 90% of it I push away from you. That 10% when I need your time, we have to look at it together.' You can't just ignore this. I would submit that there are a lot of businesses right now that are being impacted by security issues that need to raise that operational maturity level. I don't want to be negative, but I think if we are going to solve this in partnership with the business, we need to recognize that.

View All Videos