Does your company need a CISO?
Information technology and cybersecurity have been hot topics in the last year. Axia’s team sponsored and heard various sessions at both iTech Calgary and the CIO Summit – one common thread? The organizational shifts that cybersecurity threats are demanding.
As businesses move fundamental portions of their operations to the cloud, the potential for cyberattacks to dramatically undercut the bottom line of companies big and small is increasing exponentially. Look no further than the recent Equifax breach, which is estimated to cost the company upwards of $125 million before all is said and done – not to mention the damage to their credibility.
It’s no surprise then, that more and more companies now have a CISO—Chief Information Security Officer. But is simply having a CISO enough? As Frederick Scholl explains in a report for the National Association of Corporate Directors, cybersecurity needs to be approached as an enterprise-wide risk management issue, not just an IT issue:
“A perfect example is the Yahoo-Verizon deal, where the newly reported breaches may cost Yahoo shareholders $250-$350 million… Was the Yahoo board kept up to date with the state of the Yahoo security program? That’s not known. An interesting recommendation in the NACD handbook is to get board members involved with table top exercises around incident response. That way, they will be part of the breach reporting conversation.”
The role of CISO is a fairly new title in most organizations. This underscores how important the role is in today’s highly connected business landscape, but it also explains why many companies don’t place CISO-related issues at the forefront of their strategic planning.
What is a CISO, and how does the role differ from CIO?
The relationship between CISO and CIO in every organization is slightly different, and recommendations on how these roles should break down are ever evolving. In broad strokes, here are some common differences:
“Most companies are really struggling with cybersecurity as the threats and attack vectors are getting rapidly more sophisticated; they have challenges finding the right resources to assist in getting their cybersecurity house in order,” says Tie Hoekstra, the Manager of Corporate Information Security & Controls, Cloud Technologies & Corporate IT.
Boards tend to worry about the financial bottom line of their companies rather than IT matters, which cybersecurity concerns are often lumped under. The reason is simple—most boards are comprised of individuals with financial backgrounds, not IT backgrounds.
For today’s burgeoning crop of CISOs, it’s therefore critically important to know how to talk to boards of directors. In short, CISOs today need to learn how to communicate the business case for increased security spending. Why is it better to spend a dollar on cybersecurity versus spending that same dollar on marketing instead? What’s the risk and what’s the reward? What’s the business case?
In this regard, CISOs can learn a lot from other C-Level executives in their organization, such as the CIO or the CMO, who have likely been talking to boards of directors for years, if not decades.
For example, the National Association of Corporate Directors reports that only 15% of the boards they surveyed are satisfied with the information they’re getting from their management. An effective CISO, then, needs to know how to deliver straightforward strategic information, without the technical jargon and statistics.
When asked the question: are many business leaders or executives shying away from engaging with IT/cybersecurity issues because of a lack of clear understanding? Hoekstra says: “The cybersecurity landscape is ever changing, and having a full understanding of the issues is very difficult if you are not in the business of Information Security. With all the high-profile information security breaches of the last few years, the landscape is changing and the executive suite is starting to view this as not just an IT issue, but as a larger reputation issue – should a breach occur. Additionally, the legal landscape is reacting to the high-profile breaches, and additional legal controls are being put in place.”
The cybersecurity future looks hopeful in the grand scheme of things, but the role of CISO is still very new. Companies that have taken the progressive step of ensuring they have a CISO in place are on the right track when it comes to cybersecurity. However, that’s only part of the battle.
So the answer to th question posed in the title of this blog is somewhere in the grey zone. Depending on your organization’s structure, a CISO may be the right answer. However, the title and the role aren’t the determining factor. It’s the commitment and clarity on who is accountable for security, who is responsible, and how it’s communicated and played out. Some companies are creating a Security Committee that reports into the leadership team. The committee has an all encompassing grasp of security through all of the departments of the company.
For many companies, there’s still a lack of understanding at the board level on matters of cybersecurity, and it’s up to the CISO, CIO, or Security Committee to adopt new ways of thinking, communicating, and presenting in order to best protect the bottom line.
For more information on our secure fibre connectivity solutions, contact your Axia salesperson at firstname.lastname@example.org or 1-866-773-3348.