Steve Schlarman

C+I+A+Value A CISO Imperative

Blog Post created by Steve Schlarman Employee on Dec 11, 2014

Confidentiality, Integrity, Availability – the holy trinity of the information security profession.  Chapter One of (almost) every information security document has these three words highlighted, underlined, bolded, mantra-sized…Deified.  And for good reason.  These three guiding lights of the security vocation are the stars upon which our paths are navigated.  They provide the X, Y and Z coordinates for us to determine our position.  They are the boundaries that we operate in.  As security professionals, they COMPLETE us…


Until now.


Recently, I attend the Information Security Forum’s World Congress in Copenhagen.  This event brought together a multitude of information security leaders representing enterprises from around the globe.  Several of the sessions included CISOs presenting their own individual challenges and accomplishments as they guide their organizations through the murky and dangerous waters of the security ocean.  And as the steer their security strategies, whether explicitly or implicitly stated, are the three magical stars of InfoSec navigation – Confidentiality, Integrity and Availability.  However, the discussions consistently pointed to another star.  Once hidden on the horizon and dimly lit, this star is constantly growing in size and brightness:  Value.


Security has gone from a push to a pull: Executive management reads about security issues every day in the news.  CISOs are now reporting the interest in security has gone from a bullet point somewhere on the IT section of the board presentation to a seat at the table. In some cases it still may be a backseat but a seat nonetheless.  Thus, security must be able to talk in terms of the business and highlight the value of Infosec initiatives.


Security must be thought of, and managed, as a business investment – not an administrative cost:  The convergence of digital and business risk is unavoidable and the reputational and financial impact of a data breach is evident.  Forrester just released an interesting report on how customer facing risks must be addressed.  Risks that affect the people that spend money on your company’s products and services must be addressed.  I wrote a blog a while back on the CISO as investment advisor.   This type of conversation – spending on security perceived as investment into the business – has to be on the CISO’s radar.


Security must report to, first, someone who cares and then someone who can make a difference:  Much debate has unfolded on the organizational position of the security function – IT? Legal?  Finance? Operations?  I think first it needs to report to someone who cares that the business is protected.  Secondly, it should report to someone who can then make a difference.  If you find someone with BOTH of those attributes, then security is in good hands.  The trick is to then translate that concern and action into discernible value to the organization.


Each of these indicates this rising star – Value – as another guiding principle for information security.  If security cannot articulate the business value, and be driven by business priority through context, then the seat at the table will be lost.  It is one thing to say “You gave me $X to invest in security and nothing bad happened.”  It is another thing to say “You gave me $X to invest in security and we secured $Y in business resulting in $Z in revenue.”   This is the difference in reporting ‘We shut down an active attack on systems that support 1/3 of our business operations in North America representing a daily revenue of $1M’ rather than ‘Our AV infrastructure identified 50 machines infected with a serious malware and we remediated it.’  I would propose that the CIA mantra in security be modified in today’s competitive and hazardous marketplace.


Forrester even calls this out directly in their report:

'Business leaders desperately need better analytics and risk context to ensure they make the right strategic decisions, but they hesitate to invest more resources into risk programs because risk management is seen as a cost that doesn’t offer a solid return on investment. This is a failure of risk management to demonstrate value to the business, and it’s a failure to align with morphing market trends that put the customer front and center of every business initiative.' *


Protecting information these days goes beyond ensuring Confidentiality, Integrity and Availability.  Protecting information today includes understanding the Value of the information and maintaining that worth for the business.   While this concept is implied in maintaining C,I and A, it does not get its proper place at the forefront of WHY we secure information.  As a profession, the more we instill this concept of value in the discussion, the closer security will get to the business.  The Impact part of Risk = Likelihood X Impact seems to have taken a back seat but no longer can we focus on reducing likelihood by implementing control after control.  We need to articulate the value back to the business to improve the investment portfolio of the security function and ultimately take a seat as a crucial part of the business strategy of the organization.


* Forrester Report:  Dissecting Global Risk Perceptions And The Effects Of Customer Obsession by Nick Hayes, December 5, 2014