OUT: FUD FUD stands for fear, uncertainty and doubt, and it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road. In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.
Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.
FUD also wastes money by not spending it well.
Here, the CISO is putting the responsibility on the CEO. “I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies.
Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Those forms of communication don’t fly in the boardroom.
As the old saying goes: It’s not just what you say, but how you say it.
As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.”
The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences.
When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate. Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “It’s not being manipulative, it’s just that you catch more flies with honey.”
Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group… Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. Historically, the greatest chasm – not just organizationally, but culturally as well – laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera). Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.
“The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company. Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”
Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive… a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.
Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces.
http://www.csoonline.com/fundamentals/abc_leadership.html?source=nlt_csocareer