Whether in banking or any industry, business needs take precedence; everything else not as tangibly connected to organizational objectives and profitability is regarded as not as important by senior management.
Information security and the concept of CISO have struggled to gain prominence – this despite ISACA’s best efforts, shouting from the rooftop that information security must be part of boards of directors’ agendas and CISOs should be installed, reporting to the CEO.
During the late ’90s, the CISO position was always thought of as something connected to “IT.” It was more data security than information security. Even when I passed my CISA examination in 2005, I was given the role of “Data Security Officer” in my organization, reporting to the VP-IT.
In the banking sector, the CISO position was normally held by somebody handling network security and reported to CTO (GM-IT). We had a position called “head of IT,” and the custom of designating a CIO was quite infrequent.
Then, Reserve Bank of India (RBI) published a comprehensive report and recommendations of the working group on information security, electronic banking, technology risk management and cyber frauds, popularly known as the “Gopalakrishna Committee” report, in January 2011. This report not only mandated that the CISO position be held by a sufficiently senior-level official of the rank of GM/DGM/AGM, but also stated that the CISO report directly to the head of risk management. Thereafter, in most banks, the CISO position was held as a part of the risk management department and reported to GM-Risk Management, alternatively designated as Chief Risk Officer (CRO). Interestingly, the report also mandated that the CISO not have a direct reporting relationship with the CIO.
Not satisfied with the various banks’ response to continuing cyber attacks, RBI came out with a comprehensive cyber security framework consisting of baseline measures on 2 June 2016. Board level sponsorship was mandated, baseline controls were established and strict compliance was required, in addition to having a cyber-crisis management plan. The CISO position assumed huge relevance, and RBI expected the CISO to play a pivotal role.
Within a year’s time, RBI once again came out with a document clearly articulating the CISO role. Apparently wanting significant improvement in remediation of cyber security attacks by banks, the new mandate was for the CISO to directly report to Executive Director (ED) or the equivalent, overseeing the risk management function. Therefore, the CISO now has more board visibility than ever.
In addition, the regulator very clearly positioned the CISO role along with the CRO to establish a strong risk management framework. They both should have strong communication and work together to enable a holistic risk management approach.
This is a very good development, which will make cyber security in the banking sector more effective and the position of CISO more challenging and fulfilling. Both the positions report into the ED with their respective teams. Credit risk management and information risk management (IRM) for backing them.
With credit risk management being a proper discipline, we can soon expect that information risk management will fully mature into a robust discipline as it evolves to defend the entity against continuing cyberattacks and threats, and shapes itself to comply with associated advisories from the regulatory bodies.
Author’s note:This post was inspired by the discussions among CISOs attending ISACA’s 2016 CISO Forums, plus additional readings and personal experience. The opinions are my own. For more insights from the CISO Forums, read ISACA’s CISO Board Briefing 2017.
A study by K logix Research titled “CISO Trends” found that “53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
This will have implications that go far beyond resource allocation. The CISO’s contribution to the organization is fundamentally to enable growth and support the attainment of the strategic objectives. The CISO will achieve this by ensuring that the information security posture is commensurate with the risk appetite and compliant with industry requirements.
When a group of CISOs discuss reporting, you rapidly come to realize that there is not a unique global best practice. In fact, as indicated in ISACA’s CISO board briefing, “there is not one correct organizational map, not one universal title and not even one universally applicable job description for the information security executive.”
To best fulfill this role, a key success factor is having the CISO as close as possible to those who set the tone at the top. Direct reporting to the CEO is what first comes to mind. Working closely with the CEO helps ensure best alignment of security with business imperatives. This requires an excellent working relationship between the CISO and the CEO.
Being perceived as part of the inner circle has its ups and downs. Other executives and directors will want to display a collaborative attitude and deal with the CISO as a key player but might also see the CISO as a threat to their own agenda.
The same study by K logix points out that “more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO.”
There are some public examples in which even the CEO had an agenda that made her avoid her CISO. Googling Yahoo’s Marissa Mayer will provide an example of a situation in which no CISO wants to be part.
A very prevalent option is reporting to the CIO. As information security gained recognition and started to be recognized as no longer a technical issue, the person in charge was promoted and reported directly to the CIO. At the time, this was a very positive enhancement of the role. But while may work well for some, it comes with some risk. The CIO is under heavy pressure to deliver the required projects on time and within budget. In this model, the CIO, who has a supervisory function for security and other matters, may also be influenced by personal financial considerations, such as a bonus – particularly in the private sector.
The CIO will eventually be confronted with conflicting objectives when the project does not meet the security requirements and is running out of time or budget. Security is at risk of being sidetracked. There is a clear rationale for having the CISO function independent of IT.
Other reporting lines may be to the chief risk officer, chief financial officer, chief operations officer and even the chief audit executive.
In “Determining Whether the CISO Should Report Outside of IT, Refreshed” from research firm Gartner, it is noted that:
“Information security organization design is influenced by a host of factors specific to each enterprise that must be well understood before the adopted structure can work optimally.”
“The main trend has been a tendency to establish a corporate information security function outside of the IT organization.”
When the opportunity comes to revisit the reporting lines for the CISO, it’s no time to try to be idealistic. One must determine which is the best option within the context/culture/environment of his or her organization.
Among other considerations, one must assess the organization’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.
Michel Lambert, CISA, CISM, CRISC, CGEIT, CISO, Québec Ministry of Agriculture, Fisheries and Food
My transition from internal IT auditor to CISO in banking felt natural because, while working as an auditor, I developed a strong knowledge of information security and control concepts while also improving my communication skills.
Communication skills are crucial to the success of a CISO. Effective communication helps build positive relationships with employees at all levels within the organization. As an auditor, I presented audit reports to the Audit Committee. This served as excellent experience because I learned how to communicate effectively with top-level personnel, which was also required in my role as CISO.
Internal auditors are facing new challenges. Sensitive information is pervasive in the digital world because users expect it to be available when needed. Prior to the Internet-connected world, the focus in banking tended to be on business continuity planning, the exposure of sensitive information from threats to physical media, and other financial fraud activity such as physical credit card theft.
In the connected world, data is readily available through connected networks, and that data is the target of cyber attacks. Given the rise of successful attacks, IT auditors must continually educate themselves on the new types of threats and be knowledgeable of information security controls and how to test those controls.
There are many resources available to auditors. Just as a mechanic needs to acquire a toolset, an IT auditor must also assemble an array of resources. An auditor must network with other IT audit and information security professionals by participating in professional organizations. In addition to networking, websites such as ISACA’s and SANS’ provide audit and information security resources. ISACA has an online library with information security and audit books. These are useful resources for professionals new to IT audit.
IT auditors must remain relevant by constantly educating themselves regarding the latest information security threats, trends and controls by using all available resources. IT auditors are no longer an asset to their organization when they stop learning.
Changing career paths from IT audit to CISO was a smooth transition because I developed strong communication skills as an auditor, I had a strong knowledge of the latest security threats and trends, continuous education was a priority to me, and I assembled a set of resources. For those who are interested in a career path change from IT audit to CISO, these key items should help ensure success.
John Pouey, CISA, CISM, CRISC, Secretary, Greater New Orleans Chapter
What’s the most effective thing you can do for cyber security awareness? Stop talking about it, according to a new study that uncovered serious security fatigue among consumers. The National Institute of Standards and Technology study, published recently, found many users have reached their saturation point and become desensitized to cyber security. They’ve been so bombarded with security messages, advice and demands for compliance that they can’t take any more—at which point they become less likely to comply.
Security fatigue wasn’t even on the radar Study participants weren’t even asked about security fatigue. It wasn’t until researchers analyzed their notes that they found eight pages (single-spaced!) of comments about being annoyed, frustrated, turned off and tired of being told to “watch out for this and watch out for that” or being “locked out of my own account because I forgot or I accidentally typed in my password incorrectly.” In fact, security fatigue was one of the most consistent topics that surfaced in the research, cited by 63 percent of the participants.
The biases tied to security fatigue When people are fatigued, they’re prone to fall back on cognitive biases when making decisions. The study uncovered three cognitive biases underlying security fatigue:
Users are personally not at risk because they have nothing of value—i.e., who would “want to steal that message about how I made blueberry muffins over the weekend.”
Someone else, such as an employer, a bank or a store is responsible for security, and if targeted, they will be protected—i.e., it’s not my responsibility
No security measures will really make a difference—i.e., if Target and the government and all these large organizations can’t protect their data from cyber attacks, how can I?
The repercussions of security fatigue The result of security fatigue is the kind of online behavior that keeps a CISO up at night. Fatigued users:
Avoid unnecessary decisions
Choose the easiest available option
Make decisions driven by immediate motivations
Behave impulsively
Feel a loss of control
What can you do to overcome employee security fatigue? To help users maintain secure online habits, the study suggests organizations limit the number of security decisions users need to make because, as one participant said, “My [XXX] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. If you give me too many more blocks, I am going to be turned off.”
The study also recommends making it simple for users to choose the right security action. For example, if users can log in two ways—either via traditional username and password or via a more secure and more convenient personal identity verification card—the card should show up as the default option.
Susan Richardson, Manager/Content Strategy, Code42
CISOs exploring career advancement opportunities have a new consideration, according to Gartner VP and Distinguished Analyst Paul Proctor. At a Gartner Security & Risk Management Summit presentation in June, Proctor talked about the evolution of a new enterprise role, which is a logical next step for some CISOs: Digital Risk Officer (DRO).
While few organizations have formally created the role, Gartner predicts that by 2020, 30 percent of large enterprises will have a DRO in place. Why? Because the increasing integration of digital technologies into business operations and products—the Internet of Things (IoT)—requires someone who can assess technology risk throughout the digital enterprise and provide executives with decisions that impact business processes. An example is assessing the physical system that gathers personally identifiable information from wearable technology. The DRO would look at how the data is used in marketing and sales operations, identify privacy issues, and look at the legality of monetizing the data as a source of revenue.
Proctor reports while CISOs may not have the title, many have gradually taken on some of the tasks associated with a DRO, such as:
Reviewing contract clauses for technology risk and security requirements
Developing policies to address the growing use of technology not controlled by IT
Addressing the privacy and security of data gathered by IoT devices
For CISOs interested in making the transition, here are the skills needed, according to several experts:
Fully comprehend how the business is run, recognize desired strategic outcomes and speak the language of executives in order to fully articulate digital risk factors in operational and financial terms.
Understand IT, IoT and operational technology (OT), and the overlap of technology and the physical world.
Have the ability to work in a bimodal organization, supporting Mode 2 projects.
Understand global privacy and e-commerce regulations.
Have a people-centric style to work across the organization in collaboration with businesses, legal, compliance, operations, and digital marketing and sales.
Essentially, the DRO’s role is to bridge the cultural divide between business and technology, says Nick Sanna, president of the Digital Risk Management (DRM) Institute. To do that requires building the organizational processes and best practices necessary to measure and manage digital business risk—including mapping important business processes, assessing exposure to threats and prioritizing risk mitigation initiatives. Sanna admits that building a DRM program will be a complex challenge for DROs, but also a great personal stretch opportunity.
