And, when it comes to a data breach, the simple fact is that someone will always have to accept responsibility - whether it’s the CISO, CIO or CEO. The huge amount of data breaches that can now be recalled show that cybersecurity failures can be fatal; a major data breach will ruin not only an organisation’s bottom line, but also pose major risks to its reputation, brand and future. Once a breach has occured, customers or other stakeholders will be far more wary of engaging with the business; and dealing with the fallout of a breach often means difficult decisions need to be made. The question remains: where does the role of the CISO fit in?
CISO who?
Despite the risks that the role now has a reputation for, numerous organisations are starting to see the value of employing someone to specifically deal with the increasingly sophisticated cyber threats, either because they have the right Information Assurance (IA) mindset or because of the increasing pressures around compliance, risk and governance.
In the past few years, the role of the CISO has left behind its traditional responsibilities and core tasks of specifically developing, deploying and maintaining an information security programme, serving to protect all of the data stored and processed by a business, morphing into a much more integral role of identifying risk across the entire business and raising awareness to employees of the damage a data breach can cause. Additionally, the role now has a direct reporting line to the Board of Directors rather than a CIO or CTO, extending visibility and accountability.
The essential CISO qualities
Diligent, attentive and risk aware are just three of the main characteristics vital to the role of the CISO. Whilst the characteristics can vary from organisation to organisation, a CISO needs to be extremely aware of the risks surrounding not only their role, but the entire organisation. New threats need to be identified and new protocols put in place, all of which needs to be consistently managed and maintained to keep up with the evolving threat landscape.
Being an excellent communicator and understanding various audiences is also key; explaining the threats or solutions to a non-technical Board won’t get a CISO very far - and having the Board on side with cybersecurity efforts is essential. The Board wants to hear about the financial implications, so shying away from the possibilities won’t get a CISO very far. Removing tech jargon that really isn’t applicable is also a crucial quality because the board of directors need to be fully aware that cyber risk now has fiduciary implications and therefore needs to be given the time and attention it deserves.
Focus on the data, not the network
Technology decisions are vital for ensuring the organisation is secure; with numerous attack techniques in existence that have the ability to not only infiltrate, but destroy an organisation’s network, it is critical for organisations to think about IA, which focuses on the data, rather than security, which focuses on the network. By understanding the sensitivity and risk of data compromise the CISO is able to focus on technology decisions that protect the data itself and not just the network the data runs over as when the network is compromised it is data that is put at risk - and we all know the consequences this can have.
The need to separate roles in an organisation into discrete functions is imperative; ‘Separation of Duties’ removes the cross contamination of roles, which therefore increases accountability, reduces error potential and removes the potential for non-essential personnel to access the security configuration of network devices. This separation of duties also needs to happen within the technology itself by adopting an overlay security posture, allowing both flexibility and agility to be extended across all networks whether owned or not, whilst ensuring zero impact to the security posture when the network is changed or compromised. Every CISO should understand how fundamental this is.
Starting at the top
Whilst the correct security mindset must start at the top, in reality it also needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. The responsibility of securing the entire organisation’s network sits with the CISO, but the catastrophic risks of a cybersecurity failure means that it must be given consideration by the entire Board and become a top priority in meeting business objectives.