Why CISOs Need a Voice In the Boardroom
Lock

Many organisations feel they are adequately prepared for cyber security these days, due to the simple fact of having a CISO (Chief Information Security Officer) in-situ. Having a senior level executive to oversee security and develop security policies feels like the job is done.

However, this is just part (the start) of the journey to cyber maturity. The CISO must be supported within the right culture, feel empowered and personally be equipped with the right skills and expertise. It’s important that the right internal structural and procedural considerations are in place for cyber to succeed – and for this, the CISO really needs to sit at the top level of an organisation.

The Challenge Faced by CISOs

CISOs sometimes fight harder against internal bureaucracy, severe lack of understanding about the importance of cyber maturity, politics and budget constraints as they do against those wishing harm.

If the role of Chief Information Security Officer is going to be filled, then it should be of a position representative of the name – an actual Chief. In many cases, the CISO isn’t considered to be part of the executive leadership team but at a lower “grade” within the organisation.

A reporting line such as CISO->CTO->CIO->CEO is quite a chain of Chiefs. The CISO’s role is about oversight, and it’s hard to provision this oversight if the head of the group you primarily need to oversee is your boss (or boss’s boss).

Cyber As a Strategic Imperative

Organisations taking security seriously have a cyber strategy that is seeded from the organisation’s overarching strategy. Ultimate responsibility, structure, purview and remit of any cyber team should be justified and contextualised in relation to the organisation as a whole.

The Cyber Strategy should be signed off at the highest level and its progress should be on the agenda of Board meetings. All levels of an organisation should be aware and supportive of the Cyber Strategy and contribute towards its progress.

One of the primary concerns for a CISO is having sufficient budget based on risk. This impacts every aspect of how the organisation is protected. In many instances, this budget is allocated from a pool of money, or subset of a pool. A common complaint from many CISOs is that it doesn’t add up to very much.

Budgets should align to the risk register, owned by the CISO, to ensure they are able to perform their function and protect the organisation. There is no acceptable amount, that can be defined by what other organisations do, or a “percent of a whole”. Every organisation is different in terms of risk profiles, cultures, risk appetite and cyber and technology maturity, even when in the same industry or head-to-head competitors.

Measuring and Progressing Cyber Strategy

A Cyber Strategy needs to be executable and measurable in terms of progress and success (a metrics program). Short tactical objectives can form part of the Strategy, but cannot be the Strategy. Likewise objectives that sound like they come from marketing can have a place in promoting the Strategy, but again cannot be the Strategy.

It’s critical to recognise that merely meeting regulatory standards is not always sufficient cyber defence. The focus of many executive interactions with Cyber, or sometimes their first interaction, is through regulatory requirements. It’s easily understood, and something that can be measured, reported on and in many cases touted as a mark of mature security.

But being regulatory or standard-aligned does not necessarily mean that the organisation is protected appropriately. This is why the CISO needs a seat on the top table, and to work with the Legal team to address regulatory compliance and secure necessary funding.

Standards and certificates should ultimately be the call of the CISO and not influenced by others. For example if there’s urgent cyber work that needs to be done to avoid a breach, then this should arguably take precedence over rushing towards regulatory alignment since in most cases, not doing this pressing work would probably result in non- compliance anyway.

An individual holding the chief title should be able to operate as a chief. A CISO should be Board-ready, able to understand and represent the organisation’s mission and strategy, build relationships across the organisation, manage budgets and staff at a senior level, and lead from the front when required – and if necessary, be the spokesperson for cyber issues to the media.

By Stuart Mort, KPMG

This article was first published by KBI Media

TOP