Steve Zalewski, Chief Information Security Officer for Levi Strauss & Company, discussed how to talk like a business executive when speaking to the board about security.
“I’m not here to educate you on security. You know it. What we want to do is understand how to leverage it,” stated Zalewski at the outset of his keynote presentation at the 2019 CISO Leadership Forum: Security 3.0—Shifting to Automation, held in San Francisco on April 9. “Levi Strauss makes jeans, so why should we be concerned about cybersecurity?” he asked.
“Do you understand what your business does, and can you align with the core principles of the business, not the core principles of security? I’m going to talk to you about how I became a business-aligned practitioner of security,” said Zalewski.
“We sell jeans, but we no longer have anything to do with manufacturing them. It’s just a supply chain. We’re the equivalent of a fabulous chip manufacturer. Everything is outsourced. It takes us nine to 18 months to be able to put a season of jeans together—based on what we think the brand fashion will look like in 18 months—and we translate that into a supply chain to meet the need. If we get it wrong, we can’t undo made jeans that are distributed to 110 countries. Our supply chain isn’t just a distribution network. It’s a financial manipulation to maximize the value of the profit in every country, each of which has its own manufacturing rules, discount arrangements, etc.,” he explained.
“When you’re brought into a company as a security executive, leadership tells you they have an e-commerce side, they need you to protect it, and they don’t understand security, but they know you do. So, they tell you to protect it. It’s not about the data when you have to decide what to do. In my job, the impossible happens every day, so what do I do to manage that? If I talk to the board about technology, they’re not going to listen, so I tell them my job is to sell jeans and make sure the money train never stops. If the money train does stop, my second job has to do with how quickly I can identify the reason and contain those parts of the system that have been compromised to get the money train going again. If I talk about what I’m going to do to address those concerns, I’m relating to the board at a business level,” Zalewski pointed out.
“Another way to say this is that your job is to secure your company and make sure people can’t do the bad thing. Using the analogy of keeping a child from playing in the street, we need to impact the individual’s ability to have free choice. They won’t like this. In a company, this means forcing people to use multi-factor authentication, forcing them to use VPN connectivity, and forcing them to come into the office to stay on the local network. That approach doesn’t convey an understanding of what your business is and how to best manage your risks. That’s making sure the people in the company are impacted negatively because you’re taking responsibility to secure the company,” he stated.
“Alternatively, you can approach this from a business standpoint by making risk decisions on the likelihood of a negative event occurring to determine how you’re going to ride through it. Generally, this is a financial-compensation model that allows the business to survive this event. Be clear about which model you’re going to use. If you can’t talk about risk as a form of insurance policy, what you’re doing to address the likelihood of that risk, and your ability to affect that and to what extent, you’re not having the right conversation,” Zalewski observed.
“For example, if you propose introducing single sign-on that costs a million dollars and point out that everyone in your company wouldn’t need to remember 19 passwords, what have you done? You’ve created an excellent user experience, because people no longer have to remember all those passwords. At the business level—in all your IT systems—you’ve made a major reduction in the likelihood of an impact to your business—for only a million dollars. If you can’t speak that way, you’ve fallen into the trap of thinking that you, as an IT practitioner, have to defend the decision in the event you’re wrong. It’s not about being right, it’s about making the best business decision you can at the time.”