You have to wonder who would choose to be a CISO. Since the creation of the chief information security officer role a decade ago, the role has sat somewhere between the IT team and the board, prompting many in cybersecurity to question what the role actually entails.
That such ambiguity should exist at a time when cybersecurity is indisputably becoming more important to business is a problem, and one that has made many in the industry question whether there is a future for the job, which has only existed for a decade or so.
"The CISO role itself hasn’t evolved," said Robert Morgan, CISO of the bank BNP Paribas UK, speaking at the European Information Security Summit in Westminster. "But what has evolved is the perception of security in the business sense."
That perception is that as companies digitise their assets, the ability to lock them down becomes increasingly important – a view confirmed by attacks on companies as large (and allegedly tech-savvy) as eBay, JP Morgan and Sony. Meetings between executives and regulators are also stoking a sense of paranoia.
"They come back from meetings with a regulator scared to death because they heard words they don’t understand," Morgan added. "But from my perspective it’s good, because when they are scared they talk more and they listen."
The trouble is this desire for more information has only highlighted the communication problems between the CISO and the board. Mark Brown, executive director of cybersecurity and resilience at Ernst & Young, told CBR that "many CISOs aren’t able to get that advice into the boardroom" in a way the business leaders understand.
The result, according to Brown, is that the financial community, long experienced with risk, compliance and auditing, is now "being brought in to be accountable for cybersecurity".
A turbulent decade awaits
Gianluca D’Antonio, CISO at Grupo FCC, a construction firm, is not quite so pessimistic about whether he should seek a new line of work. "We will survive in five or ten years because of the information explosion [businesses] will not be able to control," he told the security summit in Westminster.
Whilst Brown sees cybersecurity being annexed by other sections that can deal with risk, D’Antonio sees CISOs being drawn into a greater battle over the safeguarding of information. "Many companies have an information security policy without an information management policy," he lamented.
Like many in his industry D’Antonio sees the future in responding to security incidents, arguing that companies are coming round to the view that cyber-defence is a losing battle. "In my company we are preparing to manage the gap in our capability to deal with a crisis," he said. "We’ve prepared a lot of measures in prevention and detection. The next step is reaction."
Whether this counts as a move forward is more debatable."Whether you think you’re evolving or changing or not depends on where you start from," Morgan said, reminiscing on his time working with the military, which thankfully is more proactive on the cybersecurity front.
"From my perspective my world is catching up from the position I was in some years ago," he said. "When I went into the commercial world to say I was aghast was an understatement."
