...Upper level executives don’t want to hear about the technical details of each security problem. Instead, they want to hear about how those problems could impact their business.
Albuquerque, NM (PRWEB) March 18, 2015
In an interview on the Global CISO Forum Podcast, Todd Bell, VP of Enterprise Security & Architecture at Intersec Worldwide, talks about his career path as a CIO before he was a CISO, giving him a different perspective on some of the shortcomings he sees in other infosec executives. Bell sees a lot of the conflict that is common between IT departments and security executives coming down to CISOs not understanding the business impacts of the security initiatives they decide to pursue.
Another thing he thinks the infosec industry needs is more measurable indicators. He sees KPIs as being key to communicating infosec issues to the C-Suite because upper level executives don’t want to hear about the technical details of each security problem. Instead, they want to hear about how those problems could impact their business. By being clear about probability and impact, Bell thinks CISOs could create more buy-in from other executives, thereby better protecting their organizations. He ultimately sees the CISO role as “help(ing) to facilitate good risk decisions for the CEO.”
Later in the interview, Bell talks about mentoring CISOs to earn the respect of the other C-Suite executives by teaching them to speak the same language as executives as well as turning their departments into profit centers that contribute to the business’ bottom line, saying "if there's going to be an earning's miss in your company, they are going to hit cyber security because it's not making money."
Other advice Bell has for CISOs is “Get out of your department, go talk to other departments.” He believes that CISOs who don’t fully understand their business—or who miss blind spots that could potentially turn into disastrous results for security—are misinformed because they keep themselves isolated or have tunnel vision on the departments they think are the important ones for security.
Podcasts can be downloaded on the EC-Council CISO site or via iTunes. For more information or to request a guest spot on the Global CISO Forum Podcast, please contact amber(dot)williams(at)eccouncil(dot)org.
About the EC-Council CISO Program:
EC-Council’s CISO Program has three components: CISO Events, the Certified CISO (C|CISO), and CISO Resources – a repository for white papers, podcasts, webinars and articles geared toward a CISO crowd. EC-Council’s CISO Events are invitation only and geared specifically for high-level, executive information security professionals. Combining keynotes with panel discussions, the events are opportunities for CISOs from around the world to hash out the trends and challenges of information security among their peers. The C|CISO is a certification recognizing an individual’s cumulative experience and expertise in executive information security management. Overseen by a board of seasoned and distinguished professionals, the C|CISO Program has certified over 1,100 IS executives from around the world.
For more information about EC-Council’s CISO Program, please visit ciso.eccouncil.org.
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and security skills. EC Council is the owner and developer of the world-famous E-Council Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (C|HFI), Certified Security Analyst (ECSA), License Penetration Tester (LPT) programs, and various others offered in over 60 countries around the globe. These certifications are recognized worldwide and have received endorsements from various government agencies including the US Federal Government via the Montgomery GI Bill, and the US Government National Security Agency (NSA) and the Committee on National Security Systems (CNSS) certifying EC-Council’s Certified Ethical Hacking (CEH), Network Security Administrator (ENSA), Computer Hacking Forensics Investigator (CHFI), Disaster Recovery Professional (EDRP), Certified Security Analyst (E|CSA) and Licensed Penetration Tester (LPT) program for meeting the 4011, 4012, 4013A, 4014, 4015 and 4016 training standards for information security professionals and most recently EC-Council has received accreditation from the American National Standards Institute (ANSI).
For more information about EC-Council, please visit http://www.eccouncil.org.