View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 2, 2015updated 21 Oct 2016 5:35pm

Could you cut it as a CISO?

Analysis: Is the Chief Information Security Officer about to steal the boardroom from the CIO?

By Sam

As cybersecurity fears rise, CISOs are in demand but it takes more than adding an ‘S’ to CIO.

Greg Davis, Associate Partner at IBM UK’s Security Division has watched the rise of the CISO inside the FTse350 companies.

He walks us through what the role should and shouldn’t be and what to expect from the board inside a large enterprise.

CBR: What is the CISO role inside a large end user enterprise?
Greg Davis, IBM: The role of the CISO is a fast developing one. While it is new to many organisations some CISOs have been in place for over 10 years.

However the role of that individual has changed rapidly.

There are a number of key characteristics that the board is looking for from the individual in that role.

I use the analogy of the personal trainer.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

An individual uses a personal trainer to reach a level of fitness to achieve certain functions according to lifestyle choices.

The same is true of organisations.

It is not about becoming a supreme athlete but it about being healthy enough in the right areas to weather the storm when it comes.

In the CISO role one has to understand the organisation as a security expert but equally important is understanding the sector.

It is not easy to transfer from a CISO role from say, a retail outfit to a banking outfit because of different cultural and business outlooks.

Ask yourself: "How would I make the organisation secure enough to match the risk profile that the board are looking for. Factors include the size of organisation and the risk appetite of the company."

It is about understanding the big picture in terms of business requirements.

Everyone is under pressure to grow the business.

That means it is no longer acceptable for a CISO to say – "No, you can’t have this online functionality or you can’t have these mobile phones because they are not secure."

Once there was a time when security could say no. Security now has to say yes – while understanding proportionality and risk management.

CBR: How would you encapsulate a typical mandate for a CISO for a Ftse 350 organisation?
GD: I think about if I was looking to hire a CISO, what am I looking for in skills, attitude and ability?

Firstly, does he or she understand my language. Can they speak a non security language that I as a board member can grasp?

There exists a communication problem between the board and the security community. The security professional has never had to speak to the board who in turn don’t like it because they are not used to the security culture.

The board member is thinking: ‘"Do they understand what I want and can she or he explain what they are doing in a way that I can understand?"’

There’s a concept of strategy: "Does he or she understand the business well enough so they can put in the security controls that matter to me?"

There is not a business executive in the world that wants to be the best at security.

CBR How would the mandate change post attack?
GD: "Once attacked the pressure on the individual CISO role becomes suddenly heightened to a level you would not believe.

After an attack CISOs are spending days with the board.

Some boards will say: Explain to me want happened.

But a good CISO will think: ‘"What I really want to say is ‘this is happening and will continue to happen because this is not something that can be fixed by doing x, y, or z.’"

The wrong attitude for a CISO is to think – we had a problem and I’ve fixed it.

That’s just lining up for a problem the next time it does happen.

The attitude should be: ‘"We had a problem, we recovered from that problem. We’re taking these steps to ensure that when the problem happens again – which it will – we can respond quickly, with more resilience."’

That’s the message to give to the board.

The mandate becomes an advisory function to say ‘"I know what you want. I can’t fix the problem but I can address the issue about how secure we are and we’re progressing through that. It doesn’t become an end game."’

IBM’s CISO Study Facts and Stats
Most Organisations Struggling to Defend Against Sophisticated Cyber Attacks
More than 80 percent of security leaders believe the challenge posed by external threats is on the rise
60 percent agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses
Sophisticated external threats were identified by 40 percent of security leaders as their top challenge with regulations coming in a distant second at just under 15 percent.
Source: IBMs Gloal CISO Study

See Page 2 for how the board will react, and not expecting help from UK government.

CBR: Is the board more receptive to that message? (as opposed to the break fix message that was dominant until recently)
GD: That is dependent on the industry and who the board are. We have industries where the board is definitely listening and understands and I could give other examples where the board says: ‘"That’s not the answer I’m looking for, give me a different one – go and fix the problem."’
Of course that’s the last thing you want to hear because it suggests he or she doesn’t understand the problem.

CBR: With regard to the UK Regulatory environment – do CISOs spend a lot of time addressing changing regulatory issues?
GD: Globally there are one thousand standards. This tells you something straight away. We haven’t quite grasped which are the right ones. They vary by capability – eg PCI capability standards are mature.

The ones used in the UK are good – but what they don’t do is give you the answers.

A set of standards should be taken as just that. This is good practice. Compliance doesn’t make you secure.

I need to take the best of breed from all standards – say a top ten – a smart CISO will take the 5-10 standards best suited to his needs and tailor his security framework based on a number of best of breed examples from those standards and he’d use those as a benchmark.

And for each standard within that set of policies he’ll I want to achieve a certain level of maturity.

Does this policy help? It does but only goes so far. You need to go past that and find something that is unique to your organisation.

So if you really care about physical security – or you might want to focus on securing your data sets in your server centre.

So it’s about building your own unique set of standards based on world class standards.

CBR: What is UK government going to do?
GD: It doesn’t look like they are going to take any responsibility for the cybersecurity of UK plc when it comes to enterprises – the feeling is, that’s your enterprise, that’s your challenge to make yourself secure. We’ll give you best practice.

And if you’ve read the UK cyber Essentials document – they’re fairly high level – so most CISOs will look at that and say – ‘well I knew that.’

It is a one way discussion – the UK government tends to say – what do you know about all the threats that are out there and by the way – best of luck with your security

Whether its because government doesn’t want to take responsibility for the problem, I can’t say.

CBR: Do global events affect the CISO?
They do influence the day to day role of the CISO – and they should. CEOs and CIOs see the same press coverage about a breach or a loss. And they’ll get on the phone to their CISO and say: ‘"What happened to company X, that’s not going to happen to us."’

Part 2 – to be published Feb 11th 2015

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.