Skip to content ↓ | Skip to navigation ↓

While the majority of the CISOs report within an IT organization, many non-technical business executives like CFOs are demonstrating an interest and desire to understand the impact of security to the business they run.


Yet in a recent benchmark study conducted by the Ponemon Institute on The State of Risk-Based Security Management, 62 percent of the IT security professionals who responded say that the business has little or no involvement in providing risk-based analysis.


It is therefore imperative that we as security professionals address the needs of non-security executives, help them become more aware of security matters and align security efforts with the business objectives.

 If we look at the nature of most CFOs, they are fact-driven professionals who focus the majority of their attention in the world of revenue, profit and risk management. They strive to be viewed as thoughtful, rational and known for establishing reasonable processes that will allow executives to take calculated risks.  Many CFOs spend much of their day listening to business justifications, interpreting various perspectives on value of investing in projects and then trying to balance the risk vs. reward equation. 

They’re trained to dive into the financial statements and look for underlying business risk. Therefore, technical information security lingo is a foreign language for most of them and many of the security threats we face are not very tangible, let alone understood. I recently interviewed Kelly Lang, CFO of Tripwire, to share his thoughts on how best to get the attention of financial executives in security matters.

‘It’s important to have a framework to assess and understand security risks and how they align to the objectives of the business,’ mentioned Lang.  ‘The 20 Critical Security Controls’ (formerly SANS Top 20) provides me and Tripwire’s Risk & Security Oversight Board (RSOB) with a structure for conversation on how do we prioritize so that we make thoughtful financial allocations for the business.’

For Lang, when it comes to mitigating security risks, he prefers leaning on tested and accepted approaches, like GAAP (Generally Accepted Accounting Principles).  Using this mindset he looks for similar approaches that have been tested by others in the industry and has third-party validation. Without a substantiated and rational method its very difficult to interpret solutions to control IT risks.  The Top 20 Critical Security Controls fit his criteria very well, since they were developed in 2008 when the Department of Defense (DoD) sought the help of the National Security Agency (NSA) to prioritize its security spending and with it the myriad security controls that were available for cybersecurity. The NSA participated in a consortium with the Center for Internet Security (CIS) and SANS Institute to develop the Top 20 Critical Security Controls. If you’re a history buff you can find out more on this page.

Lang admits to receiving a lot of help from the security team to educate him on what security risks relate to that of the business. Given that financial executives are better at understanding the big picture and don’t like unnecessary details and minutia, security teams are also called to refrained from using ‘techie’ terminology and acronyms. ‘The 20 Critical Security Controls framework provided our security team and our RSOB a way to communicate on the value of the security controls relative to the business assets we cared the most about,” commented Lang.

Like many organizations that participate in a risk-based security management program, the first step is to identify the most critical assets – the organization’s crown jewels. ‘For my high-value assets I want all A’s and greens,’ says Lang. He understands that there are some controls that are too expensive or hard to do and if those do not affect protecting our most important assets, he can accept having a less than optimal grade level on them – it’s a part of doing risk management and balancing costs, risks and opportunities.

Lang recalls sitting in a meeting where the security team delivered a presentation on the state of security. He remembers realizing that in order to mitigate the risks, it was necessary to implement many controls and that the Top 20 Critical Security Controls framework provided him with medium to visually assess risk coverage so he would be able to sleep better at night. He uses the framework as a level of protection to talk about risk. Essentially, it gives him and the IT security team a common language, mitigating many technical conversations. He also admitted to being more interested in security because he’s seeing it more in the mainstream media.

The use of the framework was also necessary recently when renewing the organization’s insurance policies, as it proved a valuable approach to discuss and attack security risk.  He’s also seeing a trend where major insurance companies are requiring disclosures on the state of IT security.  A few years ago this risk seldom showed up on the annual renwel questionairs.  However, today insurance questions are covering risk posture as it relates to network security. ‘Last year, there were very few questions relating to cyber security. This year, we had two comprehensive sections dedicated to network security,’ says Lang.

Here are a few other articles that cover how insurance connects security to the business and enterprise insurance policies and the 20 Critical Security Controls.

The security leaders and the CFOs talk about how insurance companies are maturing in their assessment of security risk, and how most likely the rise in claims and exposure are driving them to be more specific and intrusive in their application questionnaires. They are looking at the underlying business risks, and with data becoming more digital, they would like to minimize their risk exposure.

Many security professionals don’t have the luxury of moving at their own speed. Many are being asked by the CEO, Board of Directors or insurance companies that they need to care. The reality is, that although 81 percent of security professionals who participated in the Ponemon survey rated their organization’s commitment to risk-based security management as ‘significant’ or ‘very significant’, 46 percent say their organization’s approach or strategy for risk-based security management is non-existent or ‘ad-hoc’. Sadly, only 29 percent have a security risk management strategy that is applied consistently across the enterprise.



Perhaps frameworks like the Top 20 Critical Security Controls will help risk and security professionals breach the gap between commitment and strategy implementation. For many CFOs like Lang, this approach may also help get a better grasp of their situational awareness and make rational and thoughtful decisions on how to mitigate security risks.


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

<!-- -->