Headline-grabbing hacks like the Equifax breach provide “teachable moments” that can be used to leverage more cybersecurity investment from company executives, but even with enough money, there are other resources — like face time with the board, or skilled personnel — that are always in short supply, according a panel of chief information security officers that spoke with CyberScoop Tuesday.
“Even though CISOs are getting more and more time in front of the board, we’re still not getting enough,” Tammy Moskites, CISO for cybersecurity company Venafi, told CyberScoop on the fringes of an ISACA cybersecurity event in Washington. ISACA, formerly known as the Information Systems Audit and Control Association, is a professional membership and advocacy non-profit based outside of Chicago.
“I get 15 minutes with the board on a quarterly basis,” said Michael Raeder, CISO of Orbital ATK, a defense and space contractor recently purchased by Northrop Grumman. “I typically go over” time, provoking angry looks from other officers, he added.
Given how limited that time is, Raeder added, he is careful to use it wisely.
“I like to have a conversation with the board in terms that means something to them,” he said. “I’m not going to go and spit out all these stats about how many APTs I stopped last month. They don’t care about that. They want to know in terms of risk, how secure is our organization and how are we getting better.”
Even more than the limited time, different perspectives can constrain open communication between CISOs and their executive leadership team, added Rich Licato, CISO for the Airline Reporting Corporation.
“It’s always a time crunch,” he said, adding, “There’s always this disconnect between security and business. We’re not at the point yet where security is seen as critical.”
Raeder and Licato are not alone in feeling that way, said Moskites.
“I travel a lot, I’ve talked to well over 1000-plus CISOs and CIOs all over the world,” she said. “I don’t talk about my products, I ask ‘what keeps you up at night?’ … and with a lot of them, [it’s], ‘We don’t get time with the board, or if we do, we only get time with the audit committee, or if we get time with the board, it’s not enough time.’ They need a seat at the table and they need more than that 15 minutes.”
They may start to get it soon, panel members agreed, with growing board-level and executive concern about cybersecurity. Beyond the brief hits that the share price of breached retail giants like Home Depot suffered in the wake of breaches, there weren’t really significant consequences.
“What we’re seeing now — and we’ve seen some of it in the past — are the economic repercussions from these breaches,” said Raeder. “You’re having CEOs lose their roles, not just the CISO and the CIO … Hundreds of millions of dollars are being taken off the table when a breach is discovered during a merger,” like in the Yahoo-Verizon deal.
“They’re reading the same news we are,” he said of the board.
Breaches like Equifax are “opportunities to provide examples” of ways the company could improve its security posture added Licato. “You don’t want to lead by fear … but you want to use the teachable moment … This is an opportunity to leverage something to make ourselves better.”
Raeder added that for many CISO’s getting enough money was not the problem.
“I don’t see a lot of shrinking security budgets. You’re always competing, but I think security has been coming out well [from those contests].”
Even if lack of money is no longer a problem, there are plenty of other challenges, noted Moskites.
“CISO’s can get money, but the problem is, there’s so much other stuff to do … Just time. Time to spin up hardware, time to order hardware, time to get through the bureaucratic BS inside the company.
Often the biggest constraint, the panelists agreed, was trouble finding the right personnel.
“They can give me all the money I need,” observed Moskites, “but it’s not going to do me any good if I don’t have those other resources.”