Friday, 29 August 2014

A CISO’s Greatest Challenge, Communication

Globally, billions of dollars are spent by companies to protect their digital information yet not a week goes by without news of a major security breach. We not only see more attacks, but organisations are suffering larger, more sophisticated and targeted attacks. According to studies by Trustwave and the Ponemon Institute the average financial impact of each major breach on a large organization is increasing by roughly one million dollars per year and currently costs around ten million dollars per incident.

The problems are known, the tactics to combat the cybercrime threat may be constantly evolving but they are available.  The 10 million dollar question is: why do we continue to see mega breaches such as the Target security breach resulting in the loss of credit card data on 40 million customers over a 19-day period.  Or the Adobe breach that resulted in the theft of customer data from 38 million accounts as well as software data behind some of Adobe’s most widely used products, including Reader, Photoshop and ColdFusion.

A recent survey by ThreatTrack may hold some of the answers.  The survey concluded that C level executives regard the CISO role primarily as a place to lay blame in the event of a data breach, the survey went further and suggested that 74% of executives felt that CISO’s should not form part of the leadership team and about half stated that they should not control the organisational budget for cybersecurity.  Considering the cyber threat environment businesses are operating in these results are surprising to say the least. Especially since the New York Times recently said that the position of CISO is “one of the toughest jobs in the world”  It’s almost like being a lamb led to the slaughter according to David Jordan, CISO of Arlington County Virginia.

One of the reasons for the lack of appreciation for CISO’s within the C-Suite could be that CISO’s speak a fundamentally different language to their colleagues.  Most C class executives will normally have come up through the corporate ranks via sales or marketing.  If you start a conversation on subjects such as ROI, sales pipelines, B2B marketing strategies etc. they will probably become enthused and all have an opinion or at least input to the conversation.

CISO’s come up the ranks through a different route.  They may have started their careers in the security services or as mainframe computer operators in the early 90’s and progressed through various technical support roles, as tech progressed through the 90’s and early 2000’s they would have learned about risk analysis and would have put in place internet and data access policies and been responsible for the administration of onsite computer and offsite laptops and eventually mobile phones and then smart phones.  If they kept up to date and on career track they may have put in place ISO standards for Codes of Practice for Information Security and so forth. 

The fact is the CISO is very different type of manager than his or her C Suite colleagues. The nature of a CISO’s experience means they will see things differently and speak to their colleagues in a different language. The problem of communication can seem insurmountable.  For example If a CISO stands up at a board meeting and starts a discussion on end point vulnerability, phishing, botnets or DoS attacks they will probably be met by a sea of blank faces.  If he or she proposes policies that limit risk but also limit the way users interact with the network they will probably be accused of reducing productivity. If they limit the type of laptop or smartphone allowed to access the network they will probably be called old fashioned and out of touch. 
To succeed in a difficult career a CISO must be a great communicator as well as a top class professional and one of the most difficult things for professionals to do is abandon jargon and speak the language of the audience.

C-level executives, particularly CIOs, need to think hard how to embed this relatively new position into the C suite. The CISO is a highly-specialized role that relatively few people have the know-how and experience to undertake. As such, it should be elevated in the corporate structure to a level that corresponds to the post’s weighty responsibilities. Treating CISOs as scapegoats is self-defeating approaches that will disempower CISO’s and lead to defensive back covering rather than pro-active planning .
On the other hand, CISOs have a responsibility to prove themselves worthy of their seat at the top table. The best practitioners have realised that as members of an enterprise’s senior leadership team, they must demonstrate value beyond information security.  They align cybersecurity strategy with business goals and enable the organisations to achieve strategic objectives.

The best CISOs are not distinguished just by their technical prowess; they also require a healthy dose of general management skills.  They require the ability to define a vision, secure support for that vision with the board and the C-suite.  They need to pull together the talent and resource required to translate that vision into reality and probably the most difficult task, to engage the broader employee population to become information security champions.

Sound easy?

BIO's of some of the top CISO's globally.