New RSA Executive Research Unveils Strategies for Closing CISO CEO Gap

BEDFORD, MA. - December 08, 2009 -

RSA, The Security Division of EMC (NYSE: EMC), today released a new research report that explores the link between CEO priorities and information security strategy examining how a divide between an organization's CEO and its security officer can detrimentally impact its risk profile and ultimate business success.

As the fifth report in RSA's Security for Business Innovation series, Bridging the CISO-CEO Divide takes an in-depth look at what it takes to garner CEO support for a strategic information security effort. Coupled with that advice are recommendations for what CISOs should not do; taking a candid look at some potentially job-losing ways to alienate your CEO. Perhaps most importantly, the report challenges CEOs to see how their lack of support for strategic information security could unintentionally put their companies at risk.

The report is based on in-depth conversations with the Security for Business Innovation Council, whose members are the top security executives at the world's largest organizations, as well as Michael Capellas, Chairman and CEO of First Data. (Listen to a podcast with Michael Capellas for his perspective on this report.)

"The importance of aligning security investments with the corporate agenda is now well understood," said Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC. "Yet in spite of this progress, most security leaders are still struggling to convince their CEOs that security absolutely must be a core component of their business strategy. It's time to get this issue solved, and success will require both CEOs and CISOs to shift how they think, act and run their organizations."

Bridging the CISO-CEO Gap calls attention to the fact that many of the actions organizations are taking to survive in this economy – like using new technologies and global business models to drive efficiencies – are both innovative and risky. Never before have information security officers been in such a strong position to help their companies take the right risks in the right ways. But, first they must gain the confidence and support of their CEOs. CEOs must also recognize that their companies' success in recovering from the economic downturn and thriving in the longer term is dependent on their companies' ability to expertly manage the risks they are taking.

Key recommendations to help security professionals gain CEO support include:

• Establish security champions within the CEO's circle of trust: Win over those who influence or interact with the CEO on a regular basis (the Board and C-level direct reports).
• Set up a clear organizational structure: The security organization should have an absolutely crystal clear organizational structure. It must be clearly articulated, socialized and institutionalized across the whole enterprise so people "get" what security does just like they "get" what other more entrenched departments, like accounting and finance, do.
• Make it real: To help the CEO understand the risk, make it real. As much as possible, CISOs should quantify the risks. Don't just give vague explanations; instead describe realistic scenarios with actual numbers for probabilities, impact and financial losses. Address these within the context of the organization’s market position, vertical industry and regulatory regime.

"You have to be able to understand risk analysis as the premise," said Michael Capellas, Chairman and CEO of First Data. "That's where you start. This is about risk. The language of business is about risk. And if you sit in a CISO position and you can't meaningfully talk about measures of risk and layers of risk, you're probably not going to be successful."

The report also serves as a wake-up call for CEOs. It underscores the need for CEOs to understand how significantly their actions and attitudes will impact the effort to protect information at their companies. To this end, the Council points out some of the top ways the CEO can unwittingly put the company at risk when it comes to information security including:

• Setting the wrong tone at the top: If organizational leaders create a culture of apathy towards protecting information, the organization will do the same. The CEO can set the right tone by actively communicating the strategic importance of this responsibility and establishing shared accountability for the protection of information throughout the organization.
• Thinking about information security as just a technology or a compliance problem: Information security needs to be viewed as a risk management problem. When the CEO doesn't see the bigger-picture context surrounding security decisions, their company is inevitably exposed to all kinds of other risks.
• Failing to set up proper organizational responsibility: If information security ownership is not established at the appropriate level of seniority within a company, it will not be seen as serious. A role that directly impacts a company's brand, reputation and information assets should have a security leader appointed to it such as a CISO or equivalent.

CISOs and CEOs can measure their progress in strategically aligning security and business via a private ten question interactive tool.