As cyber-threats proliferate, CISOs need to act as strategic leaders, professional counsels, and ‘board whisperers’ for their company
The role of the CISO has grown in prominence in corporate hierarchies in recent years. However, in a fast-changing threat environment, and with cybersecurity firmly established as a subject of interest in the public consciousness, CISOs also need to adapt to thrive.
In a recent panel at Corinium Global Intelligence’s CISO Live, EU digital event, five leading CISOs shared their tips on matching the rapid pace of change, taking a quantitative approach to risk assessment, and communicating effectively with the board.
- Ray Stanton, Executive Partner, IBM
- Tony Clarke, VP of Information Security, Marken
- Simone Pezzoli, Group CISO, Autostrade
- Stephen Owen, Group CISO, esure Group
- Glen Hymers, Head of Data Privacy and Compliance, UK Cabinet Office
Communicating Risk in a Rapidly Changing Threat Landscape
Cybercriminals change targets, attack vectors, and strategies incredibly rapidly. The fast-changing nature of the threat is one reason why the work of the modern CISO is so challenging.
“The threat landscape changes so quickly and that’s one reason why I do feel the cyber-risk is a little bit different to other types of risk,” says Marken VP of Information Security Tony Clarke.
For Clarke, the sheer number of factors that can affect the threat landscape at any given moment sets cyber risk apart from other kinds of business risk.
“As the value of bitcoin changes, threats will change. As ransomware groups become more effective and as they embed more capabilities in their software, that dynamic changes,” he says. “It’s a very fast-moving industry we’re in from a threat perspective and we do need to adapt to thrive because otherwise there will be repercussions.”
For Stephen Owen, group CISO at esure Group the key takeaway is that CISOs need to modify the way they communicate risk to their organization.
“CISOs and risk functions [should] probably start moving away from the heat maps and do quantitative risk assessment. It sounds complicated, it’s not,” he says. “I suggest the FAIR model – the way you convey risks, your CFO will love you, and it’s an easier way to get budget, and it’s a non-tech language. I strongly suggest [the FAIR model]. It’s easy to adopt.”
Educating the Board on the Business Implications of an Attack
Winning the necessary budget for cybersecurity initiatives can be a challenge for CISOs. For some, their approach to communication with the board is characterized by a common acronym: FUD (fear, uncertainty, and doubt).
However, Glen Hymers, Head of Data Privacy and Compliance for the UK Cabinet Office thinks that CISOs need to adopt a different approach.
“Don’t use FUD. Do not use fear, do not use uncertainty, and do not use doubt,” he states. “Yes, it might get you a quick win and you might get a big bang for your buck early on, but then after that where do you go after that?”
Instead, he suggests, CISOs should translate technical talk into language that is more likely to resonate with the board.
“I always use the phrase ‘turning geek speak into business speak’. because it needs to be that way – we can’t baffle them anymore,” he says.
Finding the right ‘language’ to speak to the board is especially important for organizations that manage critical infrastructure, as a serious attack could have life-threatening consequences.
Simone Pezzoli is the group CISO for Autostrade, who is responsible for the management and maintenance of more than 4,000 miles of roads in Italy.
“If you don’t take security by design as a principle when you build an architectural blueprint, then you need to consider that could be an impact to safety as well because people are actually driving on our infrastructure,” he says.
“That’s a great example of the typical conversation that you can have with folks that are definitely not technical, but they do understand what the impact can be on the business.”
The CISO As A Professional Counsel
While organizational hierarchies differ from company to company, reporting lines should not stop critical messages about cybersecurity from reaching decision-makers across businesses.
The thing for me is having a security executive committee, an organization that is made up of senior executives of different parts of your organization,” says IBM Executive Partner Ray Stanton.
“Whether you are publicly traded, private, governmental, it doesn’t matter. You should have something that [provides] that independence, where you can bring [your concerns],” he says.
Ultimately, CISOs need to get their message across to senior decision-makers, effectively acting as a professional counsel for key business decisions related to risk, according to Hymers.
“Remember that at the end of the day we’re a risk management function predominantly – we’re there to manage the risk to the organization through its infrastructure and its applications and its people,” he says.
“If we articulate that risk properly, and we articulate it in a manner that they can understand, then they will make a conscious-based risk management decision on what it is that they’re going to do. And then that’s our work done at that point,” he concludes.