As cybersecurity fears rise, CISOs are in demand but it takes more than adding an ‘S’ to CIO.
Greg Davis, Associate Partner at IBM UK’s Security Division has watched the rise of the CISO inside the FTse350 companies.
He walks us through what the role should and shouldn’t be and what to expect from the board inside a large enterprise.
CBR: What is the CISO role inside a large end user enterprise?
Greg Davis, IBM: The role of the CISO is a fast developing one. While it is new to many organisations some CISOs have been in place for over 10 years.
However the role of that individual has changed rapidly.
There are a number of key characteristics that the board is looking for from the individual in that role.
I use the analogy of the personal trainer.
An individual uses a personal trainer to reach a level of fitness to achieve certain functions according to lifestyle choices.
The same is true of organisations.
It is not about becoming a supreme athlete but it about being healthy enough in the right areas to weather the storm when it comes.
In the CISO role one has to understand the organisation as a security expert but equally important is understanding the sector.
It is not easy to transfer from a CISO role from say, a retail outfit to a banking outfit because of different cultural and business outlooks.
Ask yourself: "How would I make the organisation secure enough to match the risk profile that the board are looking for. Factors include the size of organisation and the risk appetite of the company."
It is about understanding the big picture in terms of business requirements.
Everyone is under pressure to grow the business.
That means it is no longer acceptable for a CISO to say – "No, you can’t have this online functionality or you can’t have these mobile phones because they are not secure."
Once there was a time when security could say no. Security now has to say yes – while understanding proportionality and risk management.
CBR: How would you encapsulate a typical mandate for a CISO for a Ftse 350 organisation?
GD: I think about if I was looking to hire a CISO, what am I looking for in skills, attitude and ability?
Firstly, does he or she understand my language. Can they speak a non security language that I as a board member can grasp?
There exists a communication problem between the board and the security community. The security professional has never had to speak to the board who in turn don’t like it because they are not used to the security culture.
The board member is thinking: ‘"Do they understand what I want and can she or he explain what they are doing in a way that I can understand?"’
There’s a concept of strategy: "Does he or she understand the business well enough so they can put in the security controls that matter to me?"
There is not a business executive in the world that wants to be the best at security.
CBR How would the mandate change post attack?
GD: "Once attacked the pressure on the individual CISO role becomes suddenly heightened to a level you would not believe.
After an attack CISOs are spending days with the board.
Some boards will say: Explain to me want happened.
But a good CISO will think: ‘"What I really want to say is ‘this is happening and will continue to happen because this is not something that can be fixed by doing x, y, or z.’"
The wrong attitude for a CISO is to think – we had a problem and I’ve fixed it.
That’s just lining up for a problem the next time it does happen.
The attitude should be: ‘"We had a problem, we recovered from that problem. We’re taking these steps to ensure that when the problem happens again – which it will – we can respond quickly, with more resilience."’
That’s the message to give to the board.
The mandate becomes an advisory function to say ‘"I know what you want. I can’t fix the problem but I can address the issue about how secure we are and we’re progressing through that. It doesn’t become an end game."’
IBM’s CISO Study Facts and Stats
Most Organisations Struggling to Defend Against Sophisticated Cyber Attacks
More than 80 percent of security leaders believe the challenge posed by external threats is on the rise
60 percent agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses
Sophisticated external threats were identified by 40 percent of security leaders as their top challenge with regulations coming in a distant second at just under 15 percent.
Source: IBMs Gloal CISO Study
See Page 2 for how the board will react, and not expecting help from UK government.
This article is from the CBROnline archive: some formatting and images may not be present.