For as long as there has been security, there have been difficulties, and differences of opinion, between the CISO and CEO.
These two professionals, sporting vastly different backgrounds, have typically had different skills, mind-sets and business objectives, and this has ultimately affected communication and even the way security has been approached by each company. A lack of buy-in from the top often meant a lack of buy-in for security.
These problems have, however, arguably been years in the making.
nformation security started out as a sub-set of IT, folded in as part of the CIO’s job, and subsequently conversations between the CIO and the boardroom were brief, if at all. Budgets were minute for information security but this was no surprise - this was, after all, an age of a nascent Internet and few hackers.
The arrival of the Chief Information Security Officer (CISO) threatened to change that model, and those old lines of communication, but some of the problems remained. Most CISOs today still have little time with their board counterparts, communication wires are crossed and resources are tight.
Only breached companies get it
Fortunately, there are signs that this relationship is improving. Some proactive companies have recognized that CISOs must sit on the board and update executives on the threats on a regular basis, while others have bolstered their security ranks with Chief Risk Officers and data protection officers.
Jimmy Bashir, senior security assurance manager at the UK Government’s Department for Work and Pensions (DWP), says progress has been made – but perhaps for the wrong reasons.
“The board has now woken up and is well aware of the potential risk to the business and the risk of resignations of board-level roles if they get it wrong. Breaches occurring in large organizations affecting share prices, reputation, loss of life, loss of IP, loss of customer or internal dataset are in the news more frequently nowadays and thus, are a major cause for concern.”
Julia Harris, senior information and compliance manager at the UK’s Post Office and formerly head of information security at the BBC, believes that most companies only wake up to CISO-CEO communication after they have been hacked.
“[The communication] has significantly improved in organizations who are either enlightened or been forced to become enlightened through a breach or near miss. It is still very hard.”
Mike Loginov is CEO and CISO at security consultancy Ascot Barclay and he believes that most CISOs still struggle to get their voices heard at the top table.
“Many organizations still don't have a CISO and where they do have one the role often varies greatly; some have a technical focus, others are more strategic and some more operational. All of this points to a position that is developing, maturing and seeking to find its way," he says.
It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realize the benefit in it.
“In larger organizations, CISOs often report to a member of the board, meaning they haven’t yet quite made it to the top table themselves. So CISOs are on route to taking up more influential board level roles. However, there is some way to go before they get there.”
Loginov, the former Chief Cyber Strategist at HP, adds that most boards still dismiss the importance of information security, even in spite of mega-scale breaches like Target in 2013, where senior executives lose their jobs.
“In my view, boards are still not taking the risk seriously enough…executives still see cyber-security as a technical or IT issue, and not a critical business-focused risk.”
Phil Cracknell, chairman and founder of ClubCISO, believes that most boards are only ever concerned with the ‘sunken ships’ seen in media, and ask their CISOs “could that happen to us?”
“We need the relationship to mature further by the security function providing accurate and measurable information pertaining to the risks to our business from cyber, online and insider fraud and malicious actions," he said.
“It is for the board to decide if something should be done based upon the risk indicators of certain potential threats impacting the business. The CISO should simply provide the ratings and show how he arrived at them to lend credibility. He should then list options for mitigation, transfer, insurance or avoidance of the risk," Cracknell said.
CISO roles must change
CISOs are subsequently being asked to adapt their role. Once simply the head of security operations, experts now say they should be the link between the security team and the boardroom. They should be more aligned with business interests and talk in broad business terms, while liaising with their security team for technical updates.
As Andrew Rose, CISO at NATS, told CSO recently, they do not need to be as technical as they once were.
“The CISO role is becoming more business focused,” said Rose. “My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.
“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realize the benefit in it," he said.
This is not without its challenges, of course, especially as some experts say that a CISO’s impact will always be limited when reporting to a CIO (still the most common reporting line). Meanwhile, Cisco’s recent Annual Security Reportsuggested that some security chiefs are consequently out of touch with their security teams on new threats.
What you can achieve together
Harris believes that CISOs need to lead this change by becoming more aligned with business interests, and avoiding the hype that can be seen in the media.
She advised CISOs to “avoid technobabble, avoid FUD (Fear, uncertainty and doubt), and avoid using any metrics that contain numbers, whose positive movement is not totally within the CISO's sphere of control.
“Boards understand numbers, and will focus on them over other things that they may not understand.”
Cracknell agrees that reliable metrics are needed, and says that board executives should be part of a ‘dry-run’ incident response plan to gauge a businesses’ response.
“An essential for all CISOs is to develop and dry-run a breach response plan. This should serve to bring some members of the board into contact with the CISO, head of corporate communications, the legal counsel, and actually experience - albeit in a role-play scenario - what could happen and what they should do.
“I would hope this would bring about a higher level of mutual understanding for all, as well as position their organization far better in terms of being breach-ready.”
Loginov adds that additional spending is never the complete answer – as it’s no proof of being secure - and says that bringing in people from the outside can help.
Bashir, former CISO at Fujitsu, agrees, adding: “Communication is essential. If the board is not listening to you, then rolling out your strategy or transformation program is just a tick-in-the-box.
“You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories," he said.
He advises CISOs to get advice from peers, be less driven by tick-box compliance, and to be more focus on agile leadership, and TQM (top quality management), to address business risk. “You don't need large sums of money to get the basic rights and ensure the business is engaged.”