How To Convince the C-Suite To Fund An NCSF Program

How To Convince the C-Suite To Fund An NCSF Program

The following information was obtained from an article written by KATHERINE BROCKLEHURST, Director of the Industrial Cyber Security Segment Marketing at Belden Inc.

The article states how Larry Wilson the CISO in the UMass President’s office created a model (now called the UMass Lowell Controls Factory™ Model) using the SANS/CIS 20 Critical Security Controls and ISO27002 (now both part of the NIST Cybersecurity Framework) to communicate the business value these control systems would deliver to the university in terms security, resiliency and compliance.
A CISO Making Headway with the C-Suite

I recently spoke at the August SANS Critical Security Controls Summit 2013 in Washington, DC and had the good fortune to hear a talk by Larry Wilson, CISO of the University of Massachusetts on his communication and how he’s getting things to work at his institution. He has an incredible challenge.

The size and security needs of UMass would daunt many experienced CISOs, and Larry will admit to the challenges. His perspective was refreshing, and may lead to a few answers, though clearly every environment is unique.

Success with SANS (now the CIS 20 Critical Security Controls)

The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.

Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.

However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.

In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.

Audit / Compliance CISOs Speak Executive

Wilson’s background is in audit and compliance, and I’m seeing this as a trend. CEOs and boards are seeking audit, compliance, and risk management backgrounds in their new CISOs.

Forrester notes that many organizations are hiring VPs or C-level IT Risk titles with this same background. A big part of why is because CISOs with this audit/compliance/risk management background tend to approach their work with a higher level of business context and often with stronger communication skills than many CISOs currently demonstrate.

Add to that the clear English and business context embedded in the SANS 20 CSC descriptions, and Wilson had the tools needed to translate his security program to non-technical executives and peers. Feedback from his C-suite provide encouragement that effective CISO communication can be done.

  • One tool Wilson uses is communicating security information like financial portfolio management details. His executive team gets that. He sometimes uses the analogy of the UMass ‘security portfolio,’ with resources, performance trends, and risk factors powerfully shared with execs who are used to these financial terms, and can be helped to see security assets that way.
  • Wilson took things a step further, preferring to describe his security program components and progress in terms of ‘use cases’ – not “metrics” or other jargon natural to security practitioners. Sure, there are metrics, KPIs and performance indicators embedded, but by changing the language – really, changing the conversation, Wilson has been able to get through to his executive teams. And he’s not stopping there.
  • Wilson is working to share his experience with the SANS 20 CSC, across affiliate universities in Massachusetts and Rhode Island, as well as help them along as they’re adopting the SANS Top 20. He is additionally developing suggestions for SANS on automation and measurement for the critical controls, plus specific reporting needed so it doesn’t take endless days to gather and analyze data for executive consumption.

We need more of this kind of insight from security community CISOs on the firing line. I’ll suggest that the challenge to effectively communicate at an executive level is a ‘soft skill’ infrequently present in IT Security leadership, and one we need to see as part of the business-side curriculum for new security professionals.

More information on the UMass Lowell Controls Factory™ Model accredited certification training programs can be obtained by reaching out to

Copyright © 2017 itSM Solutions LLC


Share with your Friends