'Is My Security Program Protecting My Business?'OutSecure's Pamela Gupta on Aligning Business, Security
It's an increasingly common question from CEOs. "How is our security program protecting the business?" Pamela Gupta of OutSecure shares insight on what CISOs should demonstrate when they answer that question.
A fundamental disconnect with many organizations, Gupta says, is they believe they have a security strategy, while in fact all they truly have is a reactive security program. One that is very narrow in scope and view. A 60-degree view as opposed to 360 degrees.
"Such programs give a false sense of security," Gupta says of the typical security program she encounters. "Management thinks they have a security program, however the programs are not geared toward protecting the key aspects of a business."
Far too many organizations fail to connect risk management and security at the highest strategic levels, she says - hence the disconnect between CEOs and CISOs over whether the organization has the right security in place.
Boards have to recognize that information protection is necessary and requires the right focus by a risk committee, not to be confused with an audit committee. Most organizations are overly audit reliant. A security and audit synergy is very important and if structured properly can provide excellent value for a business. The importance of having the right stakeholders participate in setting the risk posture cannot be overstated.
In an interview about ensuring a proper security strategy, Gupta discusses:
- How to bridge the gap between CEOs and CISOs;
- How to create an agile security program that will enable a business to stay competitive;
- The critical elements of a new and agile security strategy;
- How security leaders can ensure their programs will provide the right information protection.
Gupta is President of OutSecure Inc., a company protecting people and ideas with an original and proven process for fortified business security. With a powerful resume in security program definition and strategy at major global Fortune 500 companies, Gupta founded OutSecure Inc. because she knows companies are not protecting themselves with a strategic security program built to address information protection risks unique to their environment.
Drawing upon a unique combination of more than 20 years of technical, process, policy, and business experience in leading Fortune 500 companies Gupta provides consulting to public and private sector clients in the areas of privacy, security, cybercrime, breach management and cyber strategy. Her services include assistance to boards and senior management, security risk assessments, global compliance reviews and defining mature security programs and strategy. Her company, OutSecure Inc. is a preferred provider of security consulting services.
She actively participates and presents at security forums and was one of the original governing body members of CISO Executive Network in NY.
TOM FIELD: At the outset here, how about if you tell us a little bit about yourself and OutSecure, please?
PAMELA GUPTA: I'm a security professional with a strong track record in defining and implementing security strategy across major Fortune 500 companies for over 15 years. I founded OutSecure to support companies in creating the right security program. OutSecure is a must-use information security strategy firm for reliable protection of the business. We specialize in defining cyber risk management strategies for companies using a risk-based approach that scales to an organization's unique business model and information risk. Why is it a must use? Because we help companies create a customized and executable security strategy, a one-two punch of security strategy, if you will.
We brought security from a 360-degree view of the information risk for a business. What does that mean? We mean customers, employees, third parties, business partners, vendors, business process and technology. Our approach is based on global security standards, and my extensive experience across companies in different sectors. It's standardized, scalable and repeatable, which gives us the efficiency required to deliver a strategy and roadmap within reach. In essence, we have commoditized security strategy creation so that it's affordable and obtainable by all.
Lack of a Security Strategy
FIELD: I've got to ask you: Don't you find that most of the organizations you deal with already have a security strategy?
GUPTA: One would think so, but the reality is most companies have a security program that's geared toward managing harsher risks to the company's information, such as attacks coming from malware, or industry-specific regulations. These are what I would call reactive programs. They're not strategic or aligned with their business. According to Carnegie Mellon, for instance, 70 percent of organizations are not connecting security and risk to the highest levels of their mission.
I'd like to give you an example without going into specifics on identity. In one of the Fortune 500 companies I was at, I observed that the company had invested millions of dollars in their security program. The main focus was protecting regulated data. One of the top executives was hired by a competitor, he stole proprietary information on a key product, on one of the major revenue-generating products, and took it to the competitor so that the competitor could create a similar offering. The security program was spanning millions of dollars; however, there was no protection for intellectual property.
Let's take a look at another example, the data breach at LinkedIn. It's a web-based social networking site for business professionals around the globe, and it's no surprise that they were attacked. But for a company that collects and profits from large amounts of data to not have a strategy approach to their information risk is really surprising. At the time of the breach, they did not have a chief information security officer, and the breach was caused due to a very basic security flaw.
Unfortunately, there are many other examples from all sectors, including finance, software, manufacturing, healthcare and so on. There's a growing realization on the importance of developing cybersecurity in some industries. In June this year, the Office of the Comptroller of the Currency cautioned banks to include cyber risk as part of their overall risk, such as lending and interest rate risk, when making strategic decisions. Banks were told that they'll be judged on their preparation against cyber-attacks when examiners gauge banks' operational risk. Executives are being told to train workers on potential risk posed by hackers and to be proactive in communicating risk to customers and employees. In other words, they've been told they have to look at cybersecurity risk strategically.
Bridging Gap Between CEOs, CISOs
FIELD: I recently read a blog that you wrote about CEO and CISO conversations that are not happening. Why aren't these executives talking?
GUPTA: That's a good question that I'm asking myself. One of the reasons I would think is because companies are still not realizing that information security is a business issue and not an IT issue. There has to be that realization in most companies that, for a business to survive today, it has to protect the information; they have to look at it strategically. Lloyds, for instance, creates a risk index, a survey of global C-suite and board-level executives on their perceptions of the greatest risk to the business and the level to which they believe they're prepared to deal with that. This year's Lloyds Risk Index found great awareness of cyber risk at the C-level. Cyber risk was rated number three, right after high taxation and loss of customers. Clearly, there's a need for these conversations to happen with the right stakeholders.
FIELD: Following up on that, based on your own experience, what are the conversations that executives should be having? For instance, you write that many security programs are reactive and focus solely on compliance and regulated data. What gaps does this approach create?
GUPTA: Yes. The conversation they should be having - let me take that part first. We're right now in an information age where an organization's key asset is its intellectual capital, its human resources, retained knowledge and intangible assets. The value of the intangible asset is the difference between the network value of the business and its current market capitalization. Any company that has a long-term desire to survive and succeed must focus on preserving, protecting, developing and applying its knowledge assets, its intellectual capital and information assets. Currently, the board, the CEO and the CISO conversations that should be happening, they should be centered around creating a risk agenda and control suite around the protection of the risk to the intellectual capital and information assets.
As for your second question about the gaps that get created, a compliance-centric approach is a very narrow approach to the information risk of a business. What happens in that is the security program is nonstrategic and therefore not aligned with the business. [It] does not allow a business to be agile. Since our threats are evolving rapidly, it's now more than ever that a business must be agile and capable of responding to the threat landscape. A narrow view that just focuses on compliance, for instance, leads to a lot of gaps in security and also a false sense of security for the business. McAfee reports companies are losing billions of dollars. Around 508,000 jobs are lost due to cyber-attacks. That's because companies are not taking a strategic view of protecting the business, their intellectual property and their competitive edge.
Critical Elements of New Security Strategy
FIELD: Given today's threat landscape, as well as emerging legislation, what do you find to be the critical items that must be protected by a security organization, and how ought they be doing it?
GUPTA: The first step is to define the risk architecture holistically. One has to take into consideration the operational risk, regulatory risk, financial risk, intellectual property and reputation risk. These all have to be included in a security program. Most companies are focusing on one or more but not all of these risks.
Ensuring Programs Will Provide Right Protection
FIELD: How can security leaders ensure that their programs are in sync with the business requirements?
GUPTA: Security teams have to expand their horizons and step up to the risk plate and engage the business leader to understand what are the unique business risks, and try and place cyber risk into business impact - the very worst. They have to be able to communicate how does the current cyber risk landscape translate to the business impact? There has to be a two-way translation of the business. Security leaders have to understand from the business, and through the business they have to explain what's happening around them. How does it relate to business risk? The results should be a dynamic, actionable plan. There has to be a clear understanding on the role of security technology, which by itself does not protect information. Also, it's not sufficient to simply create policies and industry best practices, and this is what I see most commonly. What you have to do is to create awareness of the policies and gauge successful adoption of these policies. How are they being acted upon or implemented?
OutSecure's Role in Enhancing Security Programs
FIELD: Let's talk about OutSecure. How does OutSecure help organizations to enhance their security strategies and programs?
GUPTA: We help companies establish clarity around the types of information and processes that require protection, to maintain the competitive edge and survival, and the most cost-effective way to implement that protection. A good security program does not have to be expensive, but it has to be comprehensive. In other words, what we target is for companies to have a proactive and a strategic approach to security. This could be operational processes for a bank, product designs for manufacturing companies, research data for a healthcare company, source code for a software company, in addition to sensitive regulated data that requires protection.
FIELD: Final question for your, Pamela: You've said that OutSecure has a unique approach, a one-two punch. Can you explain what that is, please?
GUPTA: In essence, we know technology, and we understand information risks and have implemented mature security processes. If we put that together, it says why a company would be attacked; what's the information of interest; what are the vulnerability points - are they internal or external attacks; types of attackers, as in casual or targeted; and where. In other words, what's the point of penetration? Is it an ATM? Is it a database? Web application? Is it espionage? Software on desktop or a mobile application? A one-two approach is geared efficiently and comprehensively to define a security roadmap for a company. Since it's standardized, it helps us to be very cost efficient and effective, quick and comprehensive.
What is the one-two punch? One: We gather information centered on a specific business, interworking business processes, technology, etc. Two: We create a systematic security program utilizing a proprietary standardized methodology, which allows us to be very efficient, scalable and repeatable. This program is tailored to the unique business model and other things that make the business unique, such as the culture. And we deliver the punch, which is create an actionable strategy plan within weeks that outlines measures to bridge the gap between the current state and where they need to be. This actionable strategy is tailored to protect the intellectual property, sensitive data and business processes.