CISOs used to be the fall guys when things went wrong. Today it’s a different story.
Security is no longer just about the technology. It’s at the core of business strategy and that means CEOs and company directors need to give security a voice at the top table.
If the spate of high-profile mega data breaches at major corporations over the past couple of years has taught us anything, it is that security is now most definitely a boardroom issue – and it needs a dedicated C-level executive with responsibility for it.
Increasingly, that means a Chief Information Security Officer (CISO). An ex-manager at Target evenclaims the absence of a CISO was a “root cause” of the breach at the US retailer in 2013 – though that is something Target has been quick to deny. Target has since, however, appointed its first CISO, hiring an information security and risk executive from General Motors.
The modern CISO needs to have a broad range of skills, both technical and business, skills that span the main functions of the business – IT, compliance, HR, legal and facilities management.
Research by McKinsey & Co and the World Economic Forum, interviewing executives from more than 200 organisations, found that senior management time and attention was the single biggest driver of maturity in managing cybersecurity risks. The research also found varying levels of that senior-management engagement. In some companies the CISO meets the CEO quite often, yet in others the CISO has never even met the CEO. And often the CISO reports in to someone several layers below that, maybe via the CTO, CIO and even the CFO.
But it’s not just about having someone who can be the fall guy or scapegoat when things go wrong. Businesses need to transform themselves to effectively compete in a rapidly changing technological landscape. To do this successfully, organisations have to bake-in security from the start, as each new technology is adopted, to give that extra edge. However, transformation and change can be a double-edged sword. Change without security designed in just opens up opportunities for cybercriminals.
Cloud, mobile, social media, big data and other major technology trends are also driving this shift. For example, analyst Gartner predicts more than a fifth of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things (IoT).
Gartner’s Earl Perkins says: “The power of an IoT device to change the state of environments and of itself will cause CISOs to redefine the scope of their security efforts beyond present responsibilities. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.”
And while the increasing reliance on technology in all aspects of business can increase risk for organisations, it’s happening at the same time we are seeing increasing sophistication of cybercrime. As the PricewaterhouseCoopers Global Economic Crime 2014 report reveals, cybercrime is the fourth most reported type of economic crime – ahead of types of crime we might expect to be higher up the list, including accounting fraud, money laundering, tax fraud, insider trading and espionage. The survey also found that a quarter of organisations have experienced cybercrime.
The real worry is what these companies don’t always know. How many more have been victims of cybercrime but either haven’t reported or don’t even know they have suffered a breach.
Compliance and regulation are additional factors forcing security into the boardroom. The new EU General Data Protection Regulation will place significant responsibilities on companies to make data privacy a bigger priority as well as the threat of larger fines for breaches and failing to report them.
These are all reasons for companies to appoint and elevate a CISO to the board – someone who isn’t buried in the IT department, someone who can communicate risks and threats in business language to company directors .
The CISO is both the ‘canary in the mine’, alert to all the latest threats and vulnerabilities, and also the champion of security investment that doesn’t just protect the organisation but also enables it to transform the way it does business in the digital era. It changes the conversation from security simply being a necessary cost of doing business to security becoming an enabler.