Risk isn't something that many IT security professionals are comfortable with. After all, they're often employed to reduce the risk of attacks on corporate IT. But modern chief information and security officers (CISOs) are warming up to the idea of taking a certain amount of risk in order to be more effective in their jobs. Here's what you need to know.
At last week's SINET61 conference, CISOs took to the stage to talk about their decision-making process in a session titled 'Industry Professionals That Take Risks in Order to Manage Risk'. One of the topics that was addressed was the pressure for security executives in large organisations to continue on the same trajectory that has already been set. Doing things differently often comes with the risk of failure, which can have negative consequences to a company's IT security.
But the IT security space is dynamic; new technologies, solutions and strategies come out regularly and CISOs need to keep pace with these developments.
"The biggest risk at the moment is doing nothing — you're at risk of becoming irrelevant," CSIRO CISO and lead architect Angus Vickery said at SINET61. "You have to do something to ensure you're continually relevant because the horse will bolt without you anyway.
"… Modern CISOs need to have an open mind."
One of the examples of this is the adoption of managed cloud services for IT security. Vickery recalled that back in the day, the only way you can ensure the security of your own IT infrastructure is to build and manage it all internally, which is a costly affair. But as managed cloud services have matured, organisations need to turn to external suppliers for their security expertise and to lower the cost of building, maintaining and securing their own IT environments.
It's up to an organisation's internal security team to ensure that third-party providers are trustworthy. CISOs need to figure out how to include external suppliers in their security strategies to reduce cost without compromising the trust from internal stakeholders.
"I have to benefit our ability to create return on investment (ROI); if I can't do that, I'm just overhead and I might as well be a compliance guy," Hearst CISO and vice-president of corporate information security & risk David Hahn said at SINET61. Hearst is a multinational media group based in the US. Hahn noted that having a cohesive security program to protect a company's IT assets is vital in building credibility within an organisation. Once you have built up that trust, it will be more acceptable to take certain risks.
One risk that Hahn has taken as the CISO for Hearst is to engage with security startups instead of established vendors.
"I have a very hard time with the big established security companies," he said. "They're lazy, they've become too focused on the next quarterly earnings and they have way too many salespeople versus product people who are all trying to pitch me on the next sale. It's just mind-boggling — it cannot work that way.
"What I like about smaller companies is that they're focused, passion-driven and they're going to build the products that I need."
Hahn admits there are drawbacks that come from working with smaller security companies. For one, their solutions may not be proven and Hahn said that he is fortunate enough to be working in a private company with a chief technology officer who believes in him so he has more room to take risks.
Scalability is also an issue since smaller companies can only deliver so much.
"At the same time, I feel more comfortable because I feel like I'm in the driver's seat and I'm going to work with [a smaller company] and succeed or fail together — hopefully not fail together."