Day: August 22, 2018

In part three of our series, we laid out the five top priorities for CISOs as they shift their focus to the executive aspects of their roles and build out their teams. In this final part of our series, I join my colleagues Aileen Alexander from Korn Ferry and Paul Calatayud from Palo Alto Networks to look at those priorities in greater depth. Specifically, we focus on what CISOs can do today to empower their organizations.

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness

• Be creative. Think differently about the teams you have today, how their skills match to the latest trends and train them as needed.
• Work with HR to develop university outreach programs that focus on acquiring young talent early into the organization.
• Focus on making it easier to consume security technology. If you can make it easier for others to approach your team and understand what your team does, then you have a higher likelihood of attracting a different type of talent that can bring a unique set of skills to your team.

No. 2: Incorporating regional laws and regulations into cyber strategy

• Familiarize yourself with the impact of these regulations. Bring in a third-party expert to explain the intricacies and considerations.
• Consider introducing the role of a business information security officer (or BISO) in certain key regions.  While they may not be focused on cybersecurity, they should focus on the risks, regulatory impact and privacy laws in their respective countries.
• Align closely with legal and policy teams to advise on the impact of these laws on your organization.

No. 3: Embracing the DevOps philosophy

• Forge strong relationships with these teams and become more involved in their development processes.
• In meetings and conversations, focus on risk guidance and why security is important to every application deployment.
• Define and share security requirements in a way that they become a natural part of the development process.

No. 4: Tackling IoT security (corporate and personal)

• Get involved in the process of IoT purchases at your company.
• Expand cybersecurity awareness training to include education about personal IoT devices and the far-reaching impact these devices can have on the organization.
• Advise employees on how to adjust device and app settings, such as location and data access, to protect employees and the company.

No. 5: Aligning with product and physical security

• Proactively get involved and forge relationships with product and physical security teams.
• Highlight the unique security risks and considerations for new products during early development stages.
• Develop steering councils or security review committees with the teams responsible for product or physical security.

Conclusion

This is a very challenging time to be in cybersecurity. At the same time, it can be very exciting. The threat environment is becoming more sophisticated and the impact of cybercrime and data breaches is becoming more high profile and potentially disruptive. It is not unfair to say that the future of the organizations often rests in the hands of our CISOs and their teams.

As we’ve seen in this four-part series The Evolution of the Chief Information Security Officer, the increased profile, visibility and accountability of the CISO is causing significant changes in who will succeed in these positions and how they will operate. Being the most technically astute individual in the organization is not a bad thing, but it’s not the only attribute that will define a successful CISO, now and in the future.

Instead, CISOs will need to fit comfortably in the executive suite, speak the language of business and recognize that one of the most important roles they have to play is as a change agent. As we said at the outset, cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. That reality will continue to determine how the role of the CISO continues to evolve in the future.

Editor’s note: thank you for reading part IV of our Korn Ferry CISO series. To catch up, you can view all of the articles in the series here.

Jamey Cummings

Source: https://www.securityroundtable.org/what-cisos-can-do-today/

As the role of the CISO continues to evolve, areas that were once the personal responsibility of the CISO will shift to other members of their team.

What does that mean for the CISOs of tomorrow? How will how they shift their focus to the “executive” aspects of their roles and build out their teams? How will they prioritize their roles and responsibilities? How will they interact with and communicate to the rest of the organization, whether it is the board, the C-suite, their own teams or the rank and file?

Working with my colleague Jamey Cummings at Korn Ferry and Paul Calatayud from Palo Alto Networks, we have identified the top five things CISOs will need to prioritize as they shift their focus to a role of business enablement, higher visibility, and greater accountability. They are:

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness.

This is a current challenge that is only growing. Addressing these needs sets the foundation for everything else the CISO must do in the coming years. Since the cybersecuritylandscape is constantly changing, in addition to attracting new talent to the industry, continuous training and skills development for existing teams are essential. As different business units move data and services to the cloud, the CISO must develop programs and personnel to train the entire organization on proper cyber hygiene and cybersecurity awareness.

No. 2: Incorporating regional laws and regulations into cyber strategy

For multinational companies, larger strategic regional teams will be needed to address the complexity of data and privacy laws. GDPR, for example, is a regulation that is global in nature because of the number of companies around the world it impacts. When thinking about regulations like this, the question for companies becomes: how do you create capabilities that address something like GDPR in the context of European stakeholders while still considering Canadian or U.S .privacy laws?

No. 3: Embracing the DevOps philosophy

DevOps is a movement to reduce the technical inefficiencies between IT, developers and security teams. It is about automating the deployment, maintenance and security tasks that these teams have traditionally done manually and separately. What DevOps means for CISOs and security teams is that cybersecurity is starting to be prioritized at the outset of any IT-related project. CISOs who embrace the DevOps concept and prioritize DevOps roles on their teams will be better aligned to the rest of the organization in the coming years.

No. 4: Tackling IoT Security (Corporate and Personal)

According to Gartner Research, the projected number of connected devices is expected to reach 20 billion by 2020. With this comes more security risks. CISOs will need to start thinking about how to not only protect the IoT devices that are corporate property, but also the personal devices that are coming in and out of their networks. Oftentimes, IoT devices connect to company laptops or mobile phones that have legitimate access to the corporate network. It’s reasonable to assume that, if a personal IoT device is compromised, the corporate network might be vulnerable as well. Progressive CISOs will need to think about how to guard against threats posed by personal devices and figure out which members of their team are best-suited to manage that.

No. 5: Aligning with Product and Physical Security

While product and physical security teams might not fall under the CISO’s umbrella today, they will become increasingly intertwined as cybercriminals become more creative. CISOs should be thinking about how they will better align with the groups responsible for these disciplines to make sure that cybersecurity is consistent across all areas of the business.

Conclusion

Cyber risk touches every area of a modern business and the importance of the CISO and InfoSec Team is growing. Regardless of how these roles evolve in one organization versus another, CISOs will always have to go back to the same basic question: what do we need to prioritize to help keep our particular business secure and thriving? To learn more about what CISOs can do today to keep their businesses secure and thriving, see part four of our series: What CISOs Can Do Today, coming next week.

View the full report that outlines what’s ahead for CISO leaders.

Aileen Alexander

Source: https://www.securityroundtable.org/top-5-priorities-of-the-ciso-of-tomorrow/

As described in part one of this series, the role of the modern CISO has changed significantly over the past few years. CISOs have higher visibility and accountability than ever before, which has moved them from back-of-the-house operations into a key public-facing role.

This changing dynamic requires new attributes for successful CISOs in terms of competencies, experience, traits, and drivers. Among other things, CISOs need to be strategic outside-the-box thinkers with deep technical experiences who are also flexible, learning agile, intellectually curious, action-oriented, agents of change and seekers of roles that have high levels of visibility and accountability.

Whew!

My colleague at Korn Ferry, Aileen Alexander and Paul Calatayud from Palo Alto Networks have both used the word “Herculean” to characterize the complete slate of tasks required to succeed as a CISO today, and that is certainly an apt description. We have also defined three emerging archetypes of backgrounds for today’s—and tomorrow’s—cybersecurity leaders:

1. The techie-turned-executive. This is the most common background, with about half of information security leaders fitting into this category. Korn Ferry describes this individual as a technical master who works with the CIO, has a hands-on approach during a crisis and is a driver of enterprise security architecture. Increasingly, even if these individuals come up through the traditional technology ranks, they are required to broaden their approach and look beyond technology and more closely at the corporation, its people, customers and suppliers.

2. The enterprise security and risk-focused leader:  This individual is a “big picture” leader who aligns information security with corporate business strategy and transforms the security function to meet the environment. These leaders are emerging in the financial services industry, where issues around sensitive information and compliance have forced cybersecurity functions to be more highly focused on risk management. In fact, Korn Ferry has also found that the financial services sector is where there is a more frequent shift in CISOs reporting to the chief risk officer instead of the CIO.

3. The Washington/cyber and physical security blend leader. This is a mission-driven leader who understands macro geopolitical and threat trends. This person has access to intelligence due to relationships and credibility. While less technical, he or she is able to “connect the dots” across security silos and is “Washington” savvy on a regulatory front. Again, these leaders are emerging in financial services, for much the same reasons those organizations are also turning to leaders focused on enterprise security and risk.

While these archetypes will continue to define most CISOs, because of digitization and evolving cyber risks, new responsibilities and priorities are emerging that impact the scope of the CISO role, regardless of their background. The CISO is inevitably becoming a crucial part of the executive team, and the roles and responsibilities of the information security team are growing as well. What does that mean for the next generation of CISOs? See part three of our series next week, the Top 5 Priorities of The CISO of Tomorrow.

View the full report that outlines what’s ahead for CISO leaders.

Jamey Cummings

Source: https://www.securityroundtable.org/ciso-archetypes/

Over the past decade, the role of the CISO has evolved to keep pace with today’s dynamic threat and regulatory environment. Cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. This has impacted how CISOs are viewed within the organization,  as well as their typical reporting structure. It has also redefined the skills and backgrounds that determine who will be hired in those roles, and, perhaps more importantly, who will succeed.

I spend a lot of time analyzing how the role of the CISO is evolving. I have worked in close partnership with Paul Calatayud, CSO at Palo Alto Networks and my colleague Jamey Cummings, a fellow co-leader of the Cybersecurity Center of Expertise at Korn Ferry. Here are some of our findings that were adapted from this article. 

Change Agents

The new dynamic in cybersecurity has made the CISO far more visible and accountable in organizations. When Korn Ferry researchers analyzed data from a work analysis exercise given to executives, the results showed that 80% of CISOs said their jobs had a very high-profile orientation for both visibility and accountability. This was nearly double the percentage of other same-level managers surveyed.

Beyond that, there were two other critical areas where CISOs expressed a higher requirement than their counterparts across the organization. Those were:

• Long-term strategic vision
• Implementing new initiatives

These findings suggest that organizations need cybersecurity leaders with skills that go well beyond technical expertise. Technical knowledge is still essential, but today’s CISOs need to be able to think outside the box, dig deeply into issues, exercise seasoned business judgment, exert influence at the board and C-level suites, and be a credible business partner.

According to our research at Korn Ferry, CISOs also need a different “motivational makeup” because “the most effective leaders are those who seek high visibility and accountability and strive to be agents of change.”

Reporting Structures

The higher levels of visibility and accountability have also affected where CISOs fit in within the overall organization as well as their reporting structures. Korn Ferry’s research shows a shift in reporting relationships. While many continue to report to a CIO, many more CISOs are now reporting to the head of risk management, a general counsel, the company’s president or the COO.

As noted in our most recent report: “Because the CISO has moved from the back-of-the-house operations to a key public-facing figure relied upon heavily by others in the C-suite, gone are the days when someone who is a brilliant technology expert but lacks business and relationship acumen can make it at the top ranks of the cybersecurity role.”

In today’s world, an ideal CISO has to keep up with the breakneck speed of technological change, while also having a strong aptitude for leading courageously, moving nimbly and understanding the right level of risk to make an organization safe—while still innovating.

Where will organizations find these rare individuals? See part two of our series: Archetypes of the Modern CISO.

View the full report that outlines what’s ahead for CISO leaders.

Aileen Alexander

Source: https://www.securityroundtable.org/changingroleciso/

As cybersecurity risk management has emerged as a top strategic priority for companies across industries, the question of whom the CISO should report to has likewise risen in importance. Historically, the CISO reported to the CIO, but companies are increasingly considering a number of alternatives—from placing the CISO in the risk or enterprise data groups to having them report directly to the CEO or the board. Although there is no one-size-fits-all answer, we can provide guidance for companies about the pros and cons of the various options.

Option #1: Reporting to the CIO

Most CISOs have reported to the chief information officer (CIO) since the cybersecurity position was first created—and most CISOs call the CIO boss today, according to Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group.

Pros: The CIO is the member of the C-suite who best understands cybersecurity issues and, in many cases, is reporting to the board on the topic. Much of a CISO’s spending is directly related to IT. And there would be a cost of disruption to change this approach in many organizations, says Bittianda.

Cons: Although the CISO role was created to secure IT systems and data, “a big part of the role is outside of IT,” says Sandra Konings, partner with BDO Advisory in the area of cybersecurity. CISOs have to consider employee awareness and education, develop security policy and procedures, and cultural change. “When the CISO is reporting to the CIO, it may be easy to influence IT,” says Konings. “But it’s not so easy to influence anyone else.” CISOs reporting to CIOs may also be pressured to focus on technological solutions at the expense of more holistic solutions.  The most significant cybersecurity vulnerabilities are the humans in an organization, not its technology stack. Falling under the CIO reinforces the notion that cybersecurity is simply an IT issue, rather than an enterprise one, says Denver Edwards, principal at the law firm of Bressler, Amery & Ross specializing in cybersecurity issues. There can also be a conflict of interest when the CIO must weight security against other priorities such as networking, application development, infrastructure support, and outsourcing, says David F. Katz is a partner and leader of the Privacy and Information Security Practice Group for Nelson Mullins Riley & Scarborough.

Option #2: Reporting to the CRO

Over the last five years, some organizations such as financial services firms and large multi-national companies, have opted to place the CISO under the chief risk officer (CRO).

Pros: “The role of risk function is to give board greater insight into the enterprise risk of the company, not just financial risk so it makes sense,” says Konings of BDO Advisory. “It’s an oversight function and that can help to ensure that everyone does what’s needed to put the right solutions in place.”

Cons: In many companies, the CRO doesn’t report to CEOs so this reporting structure can further distance CISOs from top executives and company strategy. “At one large company, we transferred the CISO to risk and for a year it worked really well,” says Konings. “But the downside is you’re too far away from everything else.”

Option #3: Reporting to the CFO

Companies nestle any number of functions under finance—IT, risk management, procurement, tax, audit—and some situate the CISO there as well.

Pros: The CFO can in-the-know on approaching risk, reports to the board, and may make critical decisions about cybersecurity spending. Although some other C-level leaders have bemoaned the cost-centric focus of a CFO overlord, Egon Zehnder’s Bittianda points out that increasing number of CFOs are evolving in their management approach in the hopes of taking over CEO roles in the future.

Cons: The downside, of course, is that many CFOs want to see returns particularly if they are incentivized on year-over-year earnings growth, says Bittianda. “That can be a tough discussion for CISOs to have because it can be difficult to show the benefits of cybersecurity investments,” says Konings of BDO Advisory. They may lack sufficient technical understanding as well.

Option #4: Reporting to the CDO 

The chief data officer is a relatively new corporate role often focused on preserving and expanding the value of corporate data, so there is certainly some overlap with the CISO’s role in protecting that data.

Pros: “A CDO that sees the company’s data as an asset, and who is aware of the company’s defensive skills, could be the right person to be responsible for information security,” says Edwards of law firm of Bressler, Amery & Ross.

Cons: CDOs who see their role as an offensive position, leveraging data to increase revenues may clash with CISOs who see their role as defending the valuable information assets of a company. “This sets an inherent conflict and the end result is to place the CISO in a position of being perceived as potentially hostile to the business objectives,” says Katz of Nelson Mullins Riley & Scarborough. What’s more that new CDO may not be able to give enough attention to cyber issues, thereby limiting the effectiveness of this structure. “Data breaches have become so prevalent that it requires full-time attention,” says Edwards. “Meanwhile, it would be a wasted opportunity if a company has data that could help gain market share, but was slow to execute because the CDO has other challenges to confront.” Additionally, if the CDO does not report to the CEO, this again puts a greater gulf between the CISO and the organization’s leadership.

Option #5: Reporting to GC/CLO

While not a widely employed approach, some companies have opted to move the CISO out from under IT and into the office of the general counsel (GC) or chief legal officer (CLO). This often happens in cases where CEOs recognize the critical nature of cybersecurity and deems that GC as someone to trust with it, according to Bittianda of Egon Zehnder.

Pros: GCs handle significant issues related to information governance and compliance and have a good idea about corporate direction since they often serve as board secretaries. They also tend to get involved when there is a cybersecurity incident. Unlike the CEO or even the CFO, the GC is not burdened with many other direct reports.

Cons: Because GCs don’t typically have many non-legal direct reports, they may not be the best managers. They are also more engaged in episodic security activities, like breaches, than operational issues.

Option #6: Reporting to the CEO

Three years ago, IDC predicted that 75% of CISOs would report to the CEO, but it’s still the exception rather than the rule. This typically occurs in tech-centric companies or those that have suffered high-profile cyber setbacks and demands a CISO that is a true business leader.

Pros: Reporting to the CEO maintains the independence of the CISO role and can enables “frank and candid discussion with respect to risk, resources, prioritizations and conflicts that may arise among the larger group of stakeholders within the entity,” says Katz of Nelson Mullins Riley & Scarborough. A dotted line reporting relationship to the board or some other oversight committee with regular reporting requirements can strengthen this kind of arrangement.

Cons: Cybersecurity, while a high priority, is not central to CEO responsibilities in many organizations. “The greater number of principles who directly report to the CEO reduces the executive’s ability to focus on strategy and organizational leadership,” says Steve Berlin, litigation associate at Rumberger Kirk & Caldwell who helps clients develop cybersecurity policies and defend them in related litigation. A CISO reports to the CEO but is not part of the management team is still a step removed from strategic decision-making. “In many cases, it’s better to report to he CIO, who is part of the management team, and can feed necessary information to the CISO,” says Konings of BDO Advisory.

Option #7: Reporting to the Board

An alternative few companies have considered but is worth exploring is having the CISO report directly to the board or directors or one of its committees.

Pros: “Ultimately, the board is responsible for supervising management. The board needs unvarnished information about a company’s cyber performance,” says Edwards of Bressler, Amery & Ross. “Direct reporting to the Board enables directors to ask probing questions of management without the information being sanitized.  It also enables the board to get discrete cyber information outside of board meetings when they may be deluged with an array of issues.”

Cons: For this to work, the company’s board must have members with specific knowledge of cybersecurity issues and a willingness to oversee the CISO role and function.

Stephanie Overby

Source: https://www.securityroundtable.org/whats-the-best-reporting-structure-for-the-ciso/