What%20the%20CEO%20REALLY%20thinks%20about%20Security%20and%20what%20you%20can%20do%20to%20influence%20him/her.%20.%20.

1
What the CEO REALLY thinks about Security and
what you can do to influence him/her. . .

• Thornton May, Researcher, Career Therapist
• Futurist

2
Lets Level Set with Three Audience Response
Questions
3
With regards to Information Security, is your
CEO
Hosted by

1. A September 10th kind of guy (e.g., operating in
   a fashion similar to that prior to the terrorist
   attacks on September 11th
2. A September 11th kind of guy e.g., operating in
   crisis/reactive mode playing catch up
3. A September 12th kind of guy e.g., have a plan
   and is executing it
4. Other

Cross-Tab Label
0 / 500
4
How many times would your CEO have to take the
Certified Information Systems Security
Professional (CISSP) test before receiving
certification?
Hosted by

1. Once. He/she owns this security stuff
2. Three times. Once to understand the test, twice
   to get the kinks out, the third time he/she would
   ace it
3. Billions and billions the galaxy will have
   stopped expanding

Cross-Tab Label
0 / 500
5
How many sales calls would your CSO need to go on
before he/she could sell your organizations
primary product/service to a qualified prospect?
Hosted by

1. Once. He/she groks to how money is made around
   here
2. Three times. One to understand the gig, two to
   get the kinks out, the third time he/she would
   have them eating out of their hands
3. Billions and billions the galaxy will have
   stopped expanding

Cross-Tab Label
0 / 500
6
What Do Your Responses to These Three Questions
Tell Us?
7
Says a little something about the maturity
levels of CEO infosec thinking
Says a little something about the perceived
business savvy of infosec practitioners
8
What Is Going OnInside the Head of Your CEO
9
CEO Über-Truth 1
Not all CEOsare alike
10
CEO Über-Truth 1
Not all CEOsare alike
11

1. Doing Their Job?
2. Keeping Their Job?
3. Other?

What is the first thing on most CEO/MDs Minds?
12
That On-Demand Stuff Can Be Tricky
All-you-can-eat was too muchRed Lobster's chief
is ousted after a crab promotion loses money.
BENITA D. NEWTON, St. Petersburg Times
(September 26, 2003)Darden Restaurants of
Orlando replaced the president of Red Lobster.
The move came after management vastly
underestimated how many Alaskan crab legs
customers would consume "It wasn't the second
helping, it was the third one that hurt," company
chairman Joe R. Lee said in a conference call
with analysts.
13
That On-Demand Stuff Can Be Tricky
"Yeah, and maybe the fourth," added Dick Rivera,
Darden's chief operating officer. Rivera has
taken over as president of Red Lobster.Former
president Edna Morris, 51, who oversaw the
crabfest, has left "to pursue other interests,"
the company said.
14
Where Do Senior Executives Spend Their Time?
Percentage of Time Spent on Activities That Are
Low Value-Added
High Value-Added
30
Reactive Problem-Solving and Discovery Meetings
15-20
Related Political Activity
Administration and Administrative Leadership
30
Decision-Making and Strategy
5
Dealing with Customers
5
Dealing with Suppliers
5
lt5
Visiting Operations
lt5
Coaching and Team Building
20-25
75-80
TOTAL
Source Authors survey of CEO/CGO and senior
divisional directors time
15
Economists
MBAs
Work to Be Done
Time Available for Work
16
How CEOs Feel Most Days...
Work to Be Done
Time Available for Work
Defining Reality of the World CEOs Live In They
will Always Behind!
17
What Is The First Thing Infosec Professionals
Ask of Their CEO?
18
Is There a Way to Give the CEO back some time?
19
What Is The Next Thing Infosec Professionals Ask
of Their CEO?
20
It is Not How Much You Spend, It is How Smart You
Spend
The teams in the American League West, finished
in inverse order to their payrolls. Wins Losses
Games Behind Payroll Oakland 103 59
- 41,942,665 Anaheim 99 63 4
62,757,041 Seattle 93 69 10
86,084,710 Texas 72 90
31 106,915,180
The difference between the Yankees and As
opening day payrolls had ballooned from62
million in 1999 to 90 million in 2002. The
bottom of each division was littered with teams
that had spent huge sums and failed
spectacularly. On the other end of the spectrum
was Oakland. For the past several years, working
with either the lowest or next to lowest payroll
in the game, the Oakland As had won more regular
games than any other teams
Michael Lewis, MoneyBall The Art of Winning an
Unfair Game, 123.
21
What Can You Do To Influence Behavior?
22
Influence Multiplier 1
Understand and manage the political situation
23
Stakeholder Analysis
Blockers
Champions
Allies
Squids
24
Dont Champion Big Ideas That Cant Be
Operationalized
Influence Subtractor 1
Michael Porter got his Ph.D in Economics from
Harvard walked over to the Business School and
started analyzing the structure of industry. His
empirical base for his model was 1945-1975. A
period unique in economic history for its lack of
competition. All the companies studied were
essentially oligopolists.   Porters model cant
be operationalized.   Porters model says that
the best way to compete is not to compete to
become a monopolist.
25
Dont Lose Sight of the Root Issue
Influence Subtractor 2
Sherlock Holmes and Dr. Watson go camping, and
pitch their tent under the stars. During the
night, Holmes wakes his companion and
says'Watson, look up at the stars, and tell me
what you deduce.'Watson says 'I see millions
of stars, and even if a few of those have
planets, it's quite likely there are some planets
like Earth, and if there are a few planets like
Earth out there, there might also be life.'
26
Holmes replies 'Watson, you idiot. Somebody
stole our tent'.
27
Security is not a 100 yard dashIt is a
marathon.You have to finish the race! Do not
rush things.
Influence Multiplier 2
Understand and Be Able to Explain Time Lines
28
CEOs Like to Know How Long Do Things/Should
Things Stay the Same?
The rebuilding of American cities, for example,
involves a 35 year cycle. The expansion of
medical services involves 15 year planning the
time it takes to enter college and complete
medical board exams. H.Kahn A. Wiener, The Year
2000 A Framework for Speculation on the Next
Thirty-Three years (1967).
29
The Importance of Managing Technology Time Lines
May-san, Mondai ga Arimasu yo!
30
2005 - 2007
2010???
Human capabilities will be augmented by computer
implants
???2003
31
2003
2009
2011
Security is an increasingly visible, increasingly
objected to cost devouring gt5 of the IT budget
in most Global 2000 organizations
Security is a source of competitive advantage
As computers start to control key bodily
functions, world opinion will start to mobilize
2006
Security is a legally mandated cost of doing
business. Graduates of degree granting programs
receiving federal funding will be required to
pass a basic cyber security competency exam.
32
At a recent World Bank technology
conference,world opinionwas labeled as
the second super power.
33
Understand and be prepared to influence the
opinions of those in the CEOs inner circle
Influence Multiplier 3
Influence Subtractor 3
Dont get caught in the awareness trap/ or the
analyst says trap
34
Behavior Change is the Career High Ground

• Do you think it will be good for the future of
  your organization, if senior executives played a
  more active role in shaping and deploying
  information security programs.

91 said, yes.
Three months later we visited these executives
and asked, Has your behavior/involvement
changed?
94 said, no.
Survey of CXOs, April 2002
35
Influence Subtractor 4
Believing that you can DO Information security
alone.
36
CSO As Tech Messiah Has To End!
37
Influence Subtractor 5
Believing that Smart technology will keep
Stupid Suits safe
38
Influence Subtractor 6
Believing Muggles Do Not Want to Participate in
Infosec Decision Making
39
Lessons in Consumer Behavior
With the opportunity to stir and maybe add a
dash of hot sauce or a pinch of herbs, these
meals allow convenient involvement. Its
what our research people tells us people want.  
Consumers want to be able to say, Look what I
made after doing as little as possible.
Rosalyn Z. OHearn, director of Brand affairs
for the prepared food division of Nestle USA.
Stephanie Fagnami, Editor, Supermarket News
40
(No Transcript)
41
Influence Subtractor 7
The Hubris of Expertise Causes a lot of
problems
42
Security Volk Are Giftedly Bad at the 7 Arts of
Persuasion
 Reciprocation -- what do we give them such that
they feel obligated to give us back the desired
form of behavior Scarcity many CEOs think there
is some kind of Security 7-11 they can run out to
when they run out Authority security folks
arent viewed as being credible. Casandras
crying wolf Commitment people want to make
good on what they have committed to Consistency
people want to be seen as being consistent in
their actions Consensus in the absence of
strong personal belief, people follow the
crowd  Liking people like to work with people
they like
43
Influence Subtractor 8
Believing Time Should Not Be Wasted on
Professionally Packaging Infosec Messages
44
Dont promise violence and not deliver it. They
should have had one player on each team with a
gun. And the cheerleaders should have been
naked. You have to have a product. They
promised a lot. They talked a lot. They got
great trial. They didnt deliver.
Jerry Della Femina, Chairman , Della
Femina/Rothschild/Jeary Partners New
York, Advertising Age (May 14, 2001), 3.
45
Influence Multiplier 4
Be sensitive to mindsets i.e., how people
think. Try to change how people think
46
The Weather Channel changed the
weather-information landscape in a number of
ways. Severe storm coverage became riveting,
breaking news and the channels meteorologists
became minor celebrities. But the Weather
Channel had a far more profound impact on
mainstream culture.
Weathering the Internet Storm, Fast Company
December 2000, 190.
47
It didnt just feed farmers, pilots, and weather
enthusiasts who had been hungry for more
information. It created weather consumers by
convincing ordinary people that they needed more
weather informationpeople now talk about
high-pressure and low pressure systems, says
chief operating officer Todd Walrath, 34. You
cant imagine that conversation happening twenty
years ago.
Weathering the Internet Storm, Fast Company
December 2000, 86
48
What the Future Holds
A Huge Fork in the Road
49
Society is confused regarding how they should
live their digital lives. We lack the experience
set that has historically driven the creation of
common sense. As such we lack behavioral
compasses for the Internet Age.
Guardent Discourses (New York Academy of
Sciences, February 7, 2001).
50
Early Days of Digital Evolution
We are in truth at the very beginning of the
digital age. The middle class is just now waking
up to the fact that they need to know more about
the computers they use. Just as the first
accidental farmers changed behaviors from
hunting and gathering, so too is it inevitable
that primitive computers users will ultimately
evolve more sophisticated information management
behaviors.
Thornton May speaking with David Sloan Wilson,
author of Darwins Cathedral Evolution,
Religion and the Nature of Society at the
Marschak Colloquium, UCLA October 4, 2002
51
The Darwinistic forces of information natural
selection e.g., which behavioral adaptations
create a competitive advantage for survival are
only now beginning to exert themselves.
However, good computing practice has not yet
become a career/life success genome.
  Evolutionarily speaking, this means most
consumers are currently unfit for their digital
environment.
Thornton May speaking with David Sloan Wilson,
author of Darwins Cathedral Evolution,
Religion and the Nature of Society at the
Marschak Colloquium, UCLA October 4, 2002
52
The only thing necessary for the triumph of evil
is for good men to do nothing.
Edmund Burke, 18th Century British Statesmen
53
Does Work Suck?
these characters are all working themselves to
death. As television dramas have become more
realistic, they have increasingly depicted adults
as stressed out, physically exhausted and in
almost constant moral agony, often fighting
uphill battles against the idiots at their
hospitals, law offices, precincts and other
workplaces.
Anita Gates, Men on TV Dumb as Posts And Proud
of It, New York Times (April 9, 2000), Section
2, page 1.
54
Please characterize your current career situation
. . .
Hosted by

1. Working myself to death moral agony, fighting
   uphill battles with idiots
2. Working hard, making moderate progress things
   could be worse
3. Pretty Satisfied With How Things Are going
4. Totally Switched On Loving what you are doing

Cross-Tab Label
0 / 500
55
Thorntonamay_at_aol.com
Hey, let's be careful out there.