Globally, billions of dollars are
spent by companies to protect their digital information yet not a week goes by
without news of a major security breach. We not only see more attacks, but
organisations are suffering larger, more sophisticated and targeted attacks. According
to studies by Trustwave and the Ponemon Institute the average financial
impact of each major breach on a large organization is increasing by roughly
one million dollars per year and currently costs around ten million dollars per
incident.
The problems are known, the tactics to combat the cybercrime
threat may be constantly evolving but they are available. The 10 million dollar question is: why do we
continue to see mega breaches such as the Target security breach resulting in
the loss of credit card data on 40 million customers over a 19-day period. Or the Adobe breach that resulted in the theft
of customer data from 38 million accounts as well as software data behind some
of Adobe’s most widely used products, including Reader, Photoshop and
ColdFusion.
A recent survey by ThreatTrack may hold some of the
answers. The survey concluded that C
level executives regard the CISO role primarily as a place to lay blame in the
event of a data breach, the survey
went further and suggested that 74% of executives felt that CISO’s should not
form part of the leadership team and about half stated that they should not
control the organisational budget for cybersecurity. Considering the cyber threat environment
businesses are operating in these results are surprising to say the least. Especially
since the New York Times recently said that the position of CISO is “one
of the toughest jobs in the world”
It’s almost like being a lamb led to the slaughter according to David
Jordan, CISO of Arlington County Virginia.
One of the reasons for the lack
of appreciation for CISO’s within the C-Suite could be that CISO’s speak a
fundamentally different language to their colleagues. Most C class executives will normally have
come up through the corporate ranks via sales or marketing. If you start a conversation on subjects such
as ROI, sales pipelines, B2B marketing strategies etc. they will probably
become enthused and all have an opinion or at least input to the
conversation.
CISO’s come up the ranks through a different route. They may have started their careers in the security services or as
mainframe computer operators in the early 90’s and progressed through various
technical support roles, as tech progressed through the 90’s and early 2000’s they
would have learned about risk analysis and would have put in place internet and data access policies and been responsible for the administration of onsite computer
and offsite laptops and eventually mobile phones and then smart phones. If they kept up to date and on career track they may
have put in place ISO standards for Codes of Practice for Information Security
and so forth.
The fact is the CISO is
very different type of manager than his or her C Suite colleagues. The nature
of a CISO’s experience means they will see things differently and speak to their
colleagues in a different language. The problem of communication can seem
insurmountable. For example If a CISO
stands up at a board meeting and starts a discussion on end point vulnerability, phishing, botnets or
DoS attacks they will probably be met by a sea of blank faces. If he or she proposes policies that limit
risk but also limit the way users interact with the network they will probably
be accused of reducing productivity. If they limit the type of laptop or
smartphone allowed to access the network they will probably be called old
fashioned and out of touch.
To succeed in a difficult career
a CISO must be a great communicator as well as a top class professional and one of the most difficult things for professionals to
do is abandon jargon and speak the language of the audience.
C-level executives, particularly
CIOs, need to think hard how to embed this relatively new position into the C suite.
The CISO is a highly-specialized role that relatively few people have the know-how
and experience to undertake. As such, it should be elevated in the corporate
structure to a level that corresponds to the post’s weighty responsibilities.
Treating CISOs as scapegoats is self-defeating approaches that will disempower
CISO’s and lead to defensive back covering rather than pro-active planning .
On the other hand, CISOs have a
responsibility to prove themselves worthy of their seat at the top table. The best practitioners have realised that as members of an enterprise’s senior leadership
team, they must demonstrate value beyond information security. They align cybersecurity strategy with business goals and enable the organisations to achieve strategic objectives.
The best CISOs are not distinguished just by their technical prowess;
they also require a healthy dose of general management skills. They require the ability to define a vision,
secure support for that vision with the board and the C-suite. They need to pull together
the talent and resource required to translate that vision into reality and probably the most difficult task, to engage the broader employee population to become information security champions.
Sound easy?
BIO's of some of the top CISO's globally.
http://www.eccouncil.org/ciso-executive-summit-speakers#&tab-2013
No comments:
Post a Comment