Hosted by

What the CEO REALLY thinks about Security and what you can do to influence him/her.

. .

Thornton May, Researcher, Career Therapist Futurist

Hosted by

Let’s Level Set with Three

Audience Response Questions

Hosted by

35%

28%32%

3%0%

2%0%

1 2 3 4 5 6 7

Hosted by

With regards to Information Security, is your CEO…

1.A September 10th kind of guy (e.g., operating in a fashion similar to that prior to the terrorist attacks on September 11th]

2.A September 11th kind of guy [e.g., operating in crisis/reactive mode – playing catch up]

3.A September 12th kind of guy [e.g., have a plan and is executing it]

4.Other

Hosted by

5%

19%

76%

1 2 3

Hosted by

How many times would your CEO have to take the Certified Information Systems Security Professional (CISSP) test before receiving certification?

1.Once. He/she ‘owns’ this security stuff2.Three times. Once to understand the test, twice to get the kinks out, the third time he/she would ace it3.Billions and billions [the galaxy will have stopped expanding]

Hosted by

26%

39%35%

1 2 3

Hosted by

How many sales calls would your CSO need to go on before he/she could sell your organization’s primary product/service to a qualified prospect?

1.Once. He/she ‘groks’ to how money is made around here2.Three times. One to understand the gig, two to get the kinks out, the third time he/she would have them eating out of their hands3.Billions and billions [the galaxy will have stopped expanding]

Hosted by

What Do Your Responses

to These Three Questions Tell Us?

Hosted by

Says a little something about

the ‘maturity’ levels of CEO infosec

thinking

Says a little something about

the ‘perceived’ business savvy of infosec

practitioners

Hosted by

What Is Going OnInside the

‘Head’ of Your CEO…

Hosted by

CEO Über-Truth #1

Not all CEOsare

alike…

Hosted by

CEO Über-Truth #1

Not all CEOsare

alike…

Hosted by

What is the first thing

on most CEO/MD’s Minds?

1.Doing Their Job?

2.Keeping Their Job?

3.Other?

Hosted by

That On-Demand Stuff Can Be Tricky…

All-you-can-eat was too muchRed Lobster's chief is ousted after a crab promotion loses money. BENITA D. NEWTON, St. Petersburg Times (September 26, 2003)

Darden Restaurants of Orlando replaced the president of Red Lobster. The move came after management vastly underestimated how many Alaskan crab legs customers would consume…

"It wasn't the second helping, it was the third one that hurt," company chairman Joe R. Lee said in a conference call with analysts.

Hosted by

That On-Demand Stuff Can Be Tricky…

"Yeah, and maybe the fourth," added Dick Rivera, Darden's chief operating officer. Rivera has taken over as president of Red Lobster.

Former president Edna Morris, 51, who oversaw the crabfest, has left "to pursue other interests," the company said.

Hosted by

Where Do Senior Executives Spend Their Time?

Source: Author’s survey of CEO/CGO and senior divisional directors time

Percentage of Time Spenton Activities That AreLow

Value-AddedHigh

Value-Added

Reactive Problem-Solving and Discovery Meetings

Related Political Activity

Administration and Administrative Leadership

Decision-Making and Strategy

Dealing with Customers

Dealing with Suppliers

Visiting Operations

Coaching and Team Building

TOTAL

30%

15-20%

30%

5%

5%

5%

<5%

<5%

20-25%75-80%

Hosted by

Work to Be Done

Economists

Time Available for Work

MBA’s

Hosted by

Defining Reality of the World CEOs Live In:“They will Always Behind!”

Work to Be Done

Time Available for Work

How CEOs Feel Most Days...

Hosted by

What Is The First Thing

Infosec Professionals Ask of Their

CEO…?

Hosted by

Is There a Way to Give the

CEO back some

time?

Hosted by

What Is The Next Thing

Infosec Professionals Ask of Their

CEO…?

Hosted by

The difference between the Yankees’ and A’s opening day payrolls had ballooned from$62

million in 1999 to $90 million in 2002.

The bottom of each division was littered with teams that had spent huge sums and failed

spectacularly. On the other end of the spectrum was Oakland. For the past several years,

working with either the lowest or next to lowest payroll in the game, the Oakland A’s had

won more regular games than any other teams…

It is Not How Much You Spend, It is How Smart You Spend

Michael Lewis, MoneyBall: The Art of Winning an Unfair Game, 123.

The teams in the American League West, finished in inverse order to their payrolls.

Wins Losses Games Behind Payroll

Oakland 103 59 - $ 41,942,665

Anaheim 99 63 4 $ 62,757,041

Seattle 93 69 10 $ 86,084,710

Texas 72 90 31 $106,915,180

Hosted by

What Can You Do To Influence Behavior?

Hosted by

Influence Multiplier #1

Understand and manage the political

situation

Hosted by

Stakeholder Analysis High

Low

Low High Agreement

Resources

Blockers Champions

Allies ‘Squids’

Hosted by

Don’t Champion ‘Big Ideas’ That Can’t Be Operationalized

Michael Porter got his Ph.D in Economics from Harvard; walked over to the Business School and started analyzing the structure of industry. His empirical base for his model was 1945-1975. A period unique in economic history for its lack of competition. All the companies studied were essentially oligopolists.

 

Porter’s model can’t be operationalized.

 

Porter’s model says that the best way to compete is not to compete – to become a monopolist.

Influence Subtractor #1

Hosted by

Don’t Lose Sight of the Root Issue

Sherlock Holmes and Dr. Watson go camping, and pitch their tent under the stars. During the night,

Holmes wakes his companion and says:

'Watson, look up at the stars, and tell me what you deduce.'

Watson says:

'I see millions of stars, and even if a few of those have planets, it's quite likely there are some planets like Earth, and if there are a few planets like Earth out

there, there might also be life.'

Influence Subtractor #2

Hosted by

Holmes replies:

'Watson, you idiot. Somebody stole our tent'.

Hosted by

Security is not a 100 yard dash…

It is a marathon.

You have to finish the race!

Do not rush things.

Influence Multiplier #2

Understand and Be Able to Explain Time Lines…

Hosted by

CEOs Like to Know How Long Do Things/Should Things Stay the Same?

SiteSite

StructureStructure

SkinSkin

ServicesServices

Space PlanSpace Plan

StuffStuff

How Buildings Learn,1994

20 years or so20 years or so

30 to 300 years30 to 300 years

7- 15 years7- 15 years

3 years or so3 years or so

daily / monthlydaily / monthly

The rebuilding of American cities, for example, involves a 35 year cycle. The expansion of medical services involves 15 year planning [the time it takes to enter college and complete medical board exams.H.Kahn & A. Wiener, The Year 2000: A Framework for Speculation on the Next Thirty-Three years (1967).

Hosted by

“May-san,

Mondai gaArimasu yo!

The Importance of Managing Technology

Time Lines

Hosted by

Human capabilities will

be augmented by computer implants

In the past, we used to have to go to special rooms to compute.

Now we carry our computers [laptops] with

us

Wearable computers

One in ten Americans had some non-dental implant –

from pacemakers to artificial joints in 2002.

2003

2005 - 20072010

Hosted by

As computers start to

control key bodily

functions, world opinion will start to

mobilize

Security is an increasingly

visible, increasingly

objected to cost devouring >5% of the IT budget in most Global

2000 organizations

Security is a source of

competitive advantage

2003 20092011

2006

Security is a legally mandated cost of doing business. Graduates of degree granting programs receiving federal fundingwill be required to pass a basic cyber security competency exam.

Hosted by

At a recent World Bank technology conference,

“world opinion”

was labeled as

“the second super power.”

Hosted by

Influence Multiplier #3

Understand and be prepared to influence ‘the opinions’ of those in the CEOs inner circle

Influence Subtractor #3

Don’t get caught in the ‘awareness’ trap/ or the ‘analyst says’ trap

Hosted by

Survey of CXOs, April 2002Survey of CXOs, April 2002

“Do you think it will be good for the future of your organization, if

senior executives played a more active role in shaping and

deploying information security programs.”

91% said, “yes.”

Three months later we visited these executives and

asked, “Has your behavior/involvement changed?”

94% said, “no.”

Behavior Change is the Career High Ground

Hosted by

Believing that you can

DO

Information security

alone.

Influence Subtractor #4

Hosted by

CSOAs

TechMessia

hHas ToEnd!

Hosted by

Believing that

‘Smart’ technology

will keep

‘Stupid’ Suits safe

Influence Subtractor #5

Hosted by

Believing “Muggles”

Do Not Want to

Participate in Infosec

Decision Making

Influence Subtractor #6

Hosted by

Lessons in Consumer Behavior

“With the opportunity to stir and maybe add a dash of hot sauce or

a pinch of herbs, these meals allow

‘convenient involvement.’

It’s what our research people tells us people want.”

 

Stephanie Fagnami, Editor, Supermarket News

“Consumers want to be able to say, ‘Look what I made’

after doing as little as possible.”

Rosalyn Z. O’Hearn, director of Brand affairs

for the prepared food division of Nestle USA.

Hosted by

Hosted by

The Hubris of

‘Expertise’ Causes a

lot of problems

Influence Subtractor #7

Hosted by

 Reciprocation -- what do we give them such that they feel obligated to give us

back the desired form of behavior

Scarcity – many CEOs think there is some kind of Security 7-11 they can run out

to when they run out

Authority – security folks aren’t viewed as being credible. Casandra’s crying

wolf

Commitment – people want to make good on what they have committed to

Consistency – people want to be seen as being consistent in their actions

Consensus – in the absence of strong personal belief, people follow the crowd

 Liking – people like to work with people they like

Security ‘Volk’ Are Giftedly Bad at the 7 Arts of Persuasion

Hosted by

Believing Time Should

Not Be Wasted on

Professionally

Packaging Infosec

‘Messages’

Influence Subtractor #8

Hosted by

Jerry Della Femina, Chairman , Della Femina/Rothschild/Jeary & Partners New York,

Advertising Age (May 14, 2001), 3.

Jerry Della Femina, Chairman , Della Femina/Rothschild/Jeary & Partners New York,

Advertising Age (May 14, 2001), 3.

“Don’t promise violence and not deliver it. They should have had one

player on each team with a gun.

And the cheerleaders should have been naked.

You have to have a product. They promised a lot. They talked a lot. They

got great trial. They didn’t deliver.”

Hosted by

Be sensitive to “mindsets”

[i.e., how people think].

Try to change how people think

Influence Multiplier #4

Hosted by

The Weather Channel changed the weather-information landscape in a number of ways.

Severe storm coverage became riveting, breaking news and the channel’s meteorologists became minor celebrities.

But the Weather Channel had a far more profound impact on mainstream culture.

“Weathering the Internet Storm,” Fast Company [December 2000], 190.

Hosted by

It didn’t just feed farmers, pilots, and weather enthusiasts who had been hungry for more information.

It created weather consumers by convincing ordinary people that they needed more weather information…

’people now talk about high-pressure and low pressure systems,’ says chief operating officer Todd Walrath, 34.

‘You can’t imagine that conversation happening twenty years ago.’

“Weathering the Internet Storm,” Fast Company {December 2000], 86

Hosted by

A Huge ForkA Huge Forkin the in the RoadRoad

What the Future Holds

Hosted by

Guardent Discourses (New York Academy of Sciences, February 7, 2001).

Society is confused regarding how they should live their

digital lives.

We lack the experience set that has historically driven

the creation of common sense.

As such we lack behavioral compasses for the Internet

Age.

Hosted by

Early Days of Digital EvolutionWe are in truth at the very beginning of the digital age. The middle class is

just now waking up to the fact that they need to know more about the computers they use.

Just as the first ‘accidental’ farmers changed behaviors from hunting and gathering, so too is it inevitable that ‘primitive’ computers users will

ultimately evolve more sophisticated information management behaviors.

Thornton May speaking with David Sloan Wilson, author of Darwin’s Cathedral: Evolution, Religion and the Nature of Society

at the Marschak Colloquium, UCLA [October 4, 2002]

First WaveAgrarian Age

Second WaveIndustrial Age

Third WaveInformation Age

Hosted by

The Darwinistic forces of information natural selection [e.g., which behavioral

adaptations create a competitive advantage for survival] are only now

beginning to exert themselves.

However, good computing practice has not yet become a career/life success genome.

 

Evolutionarily speaking, this means most consumers are currently ‘unfit’ for

their digital environment.

Thornton May speaking with David Sloan Wilson, author of Darwin’s Cathedral: Evolution, Religion and the Nature of Society

at the Marschak Colloquium, UCLA [October 4, 2002]

Hosted by

“The only thing necessary for the

triumph of evil is for good men to do

nothing.”Edmund Burke, 18th Century British Statesmen

Hosted by

‘…these characters are all working themselves to death. As television dramas have become more realistic, they have increasingly depicted adults as stressed out, physically

exhausted and in almost constant moral agony, often fighting uphill battles against the idiots at their hospitals, law offices,

precincts and other workplaces.’

Anita Gates, “Men on TV: Dumb as Posts And Proud of It,” New York Times (April 9, 2000), Section 2, page 1.

DoesWork Suck?

Hosted by

25% 25% 25% 25%

1 2 3 4

Hosted by

Please characterize your current career situation . . .

1. Working myself to death [moral agony, fighting uphill battles with idiots]2. Working hard, making moderate progress [things could be worse]3. Pretty Satisfied With How Things Are going4. Totally Switched On – Loving what you are doing

Hosted by

Thorntonamay@aol.com

“Hey,

let's be careful out there.”