Breach, blame, repeat: The hard truths of today’s CISO

Cyber security expert Richard Clarke’s resume is nothing short of remarkable. He is an expert in security risk management and has been security advisor to three U.S. Presidents. So when Mr. Clarke has something to say about what is arguably the most critical role in today’s enterprise, we should listen.

Just having a CISO isn’t a security solution in itself. Clarke believes that today’s CISO does not have the clout they need to adequately protect the enterprise.

Here are the challenges facing today’s CISO:

Limited access to the CEO

If you think that the Chief Information & Security Officer (CISO), with an office in the C-suite, would have the ear of the CEO, you’d be mistaken. The danger of a reporting structure to someone other than the CEO, warns Clarke, is lack of insight into security strategy at the very top of the organization.

Without a direct line to the CEO, CISOs struggle with visibility and face challenges getting the necessary resources to prepare for today’s security risks.

Senior execs who think cyber risk is a technical problem

Nearly 80 percent of CEOs believe that cyber security and IT are strictly tech and compliance issues. That’s a problem. CISOs must learn to effectively communicate, in business terms, the risks and strategies required for proper security measures. CISOs need to speak the language of risk management – something every executive and CEO understands.

Short on budgets and staffing

CISOs generally work with a budget of 3-4 percent. That may have been adequate 15 years ago but it is stretched far too thin given today’s security requirements. It’s simply not enough.

“If you want adequate coverage, expect to spend anywhere between 8-12 percent of your budget on security strategies,” says Clarke.

Your security spend should be based on two things:

1. What you want to prevent
2. What you need to protect

Today, a typical large-scale enterprise has an average of 22 (yes, twenty-two) different IT security vendors. As business shifts toward mobile, cloud and eCommerce, security is more critical than ever. And as threats grow bigger, so does potential damage, and so does the cost of containing it.

Lack of a breach plan

Every CISO must prepare a breach plan – and it ought to be CEO-approved, advises Clarke.

It’s important that everyone know exactly what to do the event of a breach. The plan should account for everything from computer forensics, to legal, to crisis communications.

Practice the plan. Do the run-through. Feel the pain. According to Clarke, many executives scoff at the idea of doing a run-through saying they “don’t have time to play games”.

“I’ve played games with Presidents of the United States, with cabinet secretaries, and with Prime Ministers. They play games. That’s how you get ready. Making them live through a breach is how you show them how horrible it can be.”  ~ Richard Clarke

“It’s no longer a matter of if, but when, an IT breach will occur,” warns Clarke. And the CISO is invariably on the hot seat. In this climate of inevitable cyber threats, security as a strategy, deeper resources, and more visibility at the executive level, are critical for the CISO to be truly effective.