CISO Observations at an IBM Security Event

Earlier this week, I participated in an IBM event in NYC that was organized and hosted by the new IBM security division.  There were around 40-50 security executives present from all industries and the topics of conversation ranged from mobile device security to the cooperative relationship between security and business executives. 

When you participate in an event with this type of an elite group, you can’t help but learn a few things.  Here are a few of my observations:

1.  Business executives are paying attention, at least at big, visible, and highly regulated companies.  I asked a VP of Security Engineering how he communicated security details to his CEO without getting bogged down in techno-babble like IP addresses, SQL injections, and AV signatures.  His response surprised me, “The CEO wants to hear the technical details in order to understand the scope of the problem.”  Clearly there is some translation here but this illustrates how serious the risk is.  Once CISO said he now subscribes to the Wall Street Journal, BusinessWeek, Forbes, etc. so that he knows which company was breached when his CEO asks him, “Did you see the headlines in the Wall Street Journal today?”

2.  IT Risk management is progressing rapidly.  Lots of these security executives are now looking much more diligently at IT risk.  This goes beyond IT assets like servers and data but all the way to business processes, user behavior, and individual threats.  This means looking in detail at threats and vulnerabilities and then playing “what if” games from a multitude of angles.  Very heady stuff that isn’t easy.  Some talked about aligning IT risk and business risk.  This has been talked about for years but it may finally be happening. 

3.  Mobile device security seems like it is almost always a curveball.  In spite of this group’s experience, leadership, and strong oversight, there’s always some “gotcha” element to mobile device security.  For example, big companies often have IT personnel tied to business units and geographies.  It is not unusual for these groups to establish their own policies and controls for mobile device support without central IT’s blessing.  Even if you nip this in the bud, it is hard to un-do what’s already been done — especially if its been done differently in business units throughout the company.  The other thing that’s difficult here is pinning down the business case and metrics for mobile device deployment.  As one CISO told me, “we have to move beyond consumer appeal and broad statements and get down to dollars and cents.”   

4.  The security skills shortage is real.  I hosted a panel on the IT security skills shortage and asked the audience to raise their hands if they were having problems hiring or retaining security staff.  Al;most everyone in the room raised their hands.  I don’t know why this issues isn’t receiving more attention as it can impact all of us.

5. CISOs are a rare and valuable breed.  Great CISOs need a very diverse skill set.  They have to understand IT technology, physical security, business processes, industry requirements, regulations, and legal issues for starters.  This is a very unique right brain-left brain skill set, and new technical, geopolitical, and socioeconomic change makes this job more specialized and difficult each day.  Related to the skills discussion above, there is no good blueprint for training the next generation of CISOs.  Most academic programs remain too narrow for today’s requirements.  There’s no substitute for on-the-job training but there should be.

This list is really the tip of the iceberg, but I’d be remiss if I didn’t mention where IBM comes into this mix.  First, IBM is one of few organizations who could assemble a group like this, and its security division is only around 6 months old.  Second, IBM’s vision of enterprise-class end-to-end security is gaining attention.  A CISO I sat next to believes that security technology will likely follow the SAP model in the 1990s when disparate applications came together to form ERP.  I concur.  Finally, CISOs agree that existing security analytic tools need vast improvement.  This is why IBM acquired Q1 Labs and why it is already aligning QRadar with its stable of analytic tools.

IBM is one of few companies out there that has the potential to deliver a tightly integrated, highly intelligent security architecture in the next few years.  CISOs seem to get this so it is remarkable to me that many of IBM’s security competitors aren’t even talking about this yet.