This article was written by Roger Camrass, research director at CIONET UK and a visiting professor of the University of Surrey, and is based on the conversations during a wine tasting event on the ‘Future of the CISO’ that was held on 10th March 2021, and sponsored by EY and ServiceNow.
The confluence in 2020 of the universal moves to home working and ‘online’ everything due to the pandemic has escalated dramatically the number of cyber attacks on organisations in the UK and elsewhere. Therefore, security and data privacy have risen to the top of the risk register and prompted Boards to review current arrangements including the extended role of the Chief Information Security Officer or CISO. EY and ServiceNow invited CIOs and CISO executives to take part in an informal discussion to share experiences and to begin to plot out a future course for the CISO profession.
Gavin Cartwright, a UK&I partner in the EY Technology Consulting practice and cyber security lead used an Iceberg analogy to illustrate the different facets of the CISO role and responsibilities. Above the waterline, the CISO has the critical task of informing the Board and ‘C’ suite on all matters relating to cyber security and data privacy. This requires strong emotional intelligence and story telling capabilities. Below the waterline, the CISO must take a lead in technical conversations that cover secure operations, incident response, data protection and many more topics.
This analogy proved popular with the delegates and provoked an animated discussion about the essential qualities of a CISO as we progress rapidly towards fully digital organisations and marketplaces. Many felt that being a technical role historically, this might inhibit some incumbents from engaging directly with Board members. However, there was clear consensus that to be effective, future CISOs would need to understand the motivations of the ‘C’ suite and work collaboratively with them.
Boards have always been concerned with operational risk and business continuity. However, in an increasingly digital world new risks begin to become critical such as reputational damage. Delegates stressed that the ubiquitous use of social media can cause damage to brands in hours or days and can have a direct impact on equity values. Recent customer data breaches within the travel and media sectors have placed CEOs directly in the public eye. It has also led to punitive damages reaching into the billions of dollars.
In this respect CISOs need to familiarise themselves with the key metrics that are scrutinised by Board members – both financial and non-financial. They also need to be sensitive to external investors and the measures that are important to broader stakeholders such as local communities. This implies a growing competence in business leadership as well as a deep technical understanding of risk related issues.
Many of the delegates came from organisations with heavy physical plant and associated networks such as manufacturing and utilities. In such cases, engineers running the physical plant often choose to oversee their own security arrangements with little reference to the CISO who focuses primarily on back office, IT and general workflow. Much of the physical plant employs heritage systems that do not always have modern security features built in. In one recent case, a cyber attack on manufacturing caused a six-week production outage.
This situation needs to be resolved and CISOs need to have authority over both IT related systems and operational plant to ensure end-to-end business continuity. However, delegates recognised that pulling both sides together may be difficult due to cultural differences. Boards need to understand the case for a consolidated security function across all aspects of the enterprise.
Digital transformation and associated workflow automation are helping to eliminate repetitive tasks and speed up business in line with today’s customer requirements. However, many of the techniques being applied such as DevOps do not always have security built in from day one of any new project. There is a strong case for adding security to this process to avoid possible areas of vulnerability to cyber-attack. Our recent event on DevSecOps explored this in more detail.
Again, the rapidly converging worlds of manual and automated workflows requires attention from the CISO. One delegate summarised the secure automation task under four simple headings:
Although much can be done to reduce risk within an enterprise by adopting secure architectures, the presence of third parties can broaden risk exposure in ways that may be difficult to analyse or mediate. One delegate mentioned that most of his manufacturing was outsourced to external parties. In other cases, many systems and applications were run by third parties. Connected supply chains was another area of external dependency.
The CIO and CISO need to be involved more closely in such third-party relationships, both at the procurement and operational stages. This is not always the case today and becomes ever more critical as processes and applications move swiftly to public cloud environments. Inevitably, external suppliers such as cloud operators are reluctant to assume full risk liability. Careful attention is needed to minimise such third-party exposures.
Currently around 50% of CISOs report to the CIO. The rest have varied reporting lines, including the CFO, COO and CEO. A few of the CISOs report to the Chief Risk Officer. All delegates agreed that given the growing importance of security and data privacy, the role should cut across functional boundaries and have effective influence across the whole organisation.
The most interesting issue raised during the event was ‘who owns the risk’? Clearly the CISO is responsible for measuring risk and providing the necessary safeguards to compensate for the inevitable breaches. However, it should not be the case that such responsibilities fall entirely on the CISO’s shoulders. The unresolved issue is whether the CISO should have both the responsibility and vested authority to manage this critical aspect of any business.
Given the growing importance of this role in dealing with risk and security, the CISO will need to develop new competencies and reach further up the organisational structure. Possible recommendations include: