conclusion: The securiTy role of The ceo
Obviously, chief executives don’t play a detailed day-to-day role in information security. You probably don’t know how to administer a vulnerability scanner, nor should you. But understanding security can have such a dramatic effect on an organization’s bottom line, it is clear CEOs need to provide strong leadership on the matter.
According to many of the CISOs we speak with here at Lumension Security, the only way to get user buy-in for major infosec initiatives is by relying on support from the top of the food chain. As a CEO, you have a chance to set a culture of security that permeates into every silo, department and remote office you maintain.
The CEO has to be the one that constantly challenges the organization to understand its risks and needs to be constantly reviewing security progress as part of the quarterly review process. Are we right on track with initiatives? Have we suffered any incidents lately? Have our competitors? What new threats are cropping up. These are the types of questions that the CEO must ask of the CIO or CISO on a consistent basis in order to keep that company messaging relevant. It should be an ongoing, dynamic process instead of one where the CEO is simply the recipient of information.
As our customer Bell puts it, “When it comes from the CEO, it’s a bigger deal than when it comes from the security officer. You’re going to get more penetration through your enterprise. The folks in accounting are going to go, ‘Oh! It’s the CEO!’ They don’t care about me, but they’ll listen to the CEO. There are a lot of companies with silos that are so deep these days that the security departments don’t have a lot of visibility. If you can work to get some kind of company message, it’s helpful.”
A prACTICAl ApprOACH TO IT SECurITy rISKS
Pat Clawson discuss how organizations can implement a practical approach to identifying, prioritizing and responding to IT security risks