In our latest cybersecurity post, Peter Yapp explains why Cyber Security Risk should be considered a business risk like any other – not “an IT problem’.
A strange aura has built up around IT, or “Cyber” as it is now more commonly known. While a whole industry has grown up to support technology and provide cyber security, it’s all too often seen as a siloed business division. The common stereotypes still apply – the ‘geeky’ IT guy telling everyone to try “switching it off and on again” – but are they really fair? With cyber risks growing larger and complex every day, it’s time to re-think how businesses think of IT.
There are some encouraging signs, with the market starting to look for more strategic and business focused Chief Information Security Officers (CISOs) rather than the pure “techies”.
What businesses need is a new type of CISO. A CISO who can get involved in digital transformation, but who also has executive management skills and understands that security is an enabler.
Cyber security is about more than just building and maintaining threat resistant systems. It is both a strategic and risk management issue. A CISO needs to create a resilient cyber security culture and help cyber security to be a strategic advantage for the company.
A CISO today needs to understand business impact and resiliency and have the ability to present clearly and in non-technical language (without acronyms), to the Board. Skill sets need expanding to include risk, enterprise risk management and knowledge of the business. Technology can obviously still play a big part, but the role needs to be elevated in the reporting structure. CISOs who can’t think strategically have been given the wrong title.
For some, the role is too new and becomes siloed within the IT function. A CISO should never report to a CIO! (Work closely with, yes: report to, no). The role is also rarely viewed as part of the C-Suite. CISOs need overall leadership skills so that they can communicate with executives, the Board and other business leaders in terms they understand. They need to drive change and take smart risks.
About 25% of CISOs report to the CEO, about 10% report to the CFO, about 10% to the CTO, and just over 5 % to the COO; a very small percentage report directly to the Board. I would argue that this demonstrates a misunderstanding of the vital strategic role a CISO plays. The worst reporting line, in my opinion, would be to the CIO, followed by the COO and perhaps the CFO. Better the CEO, Chief Risk Officer or General Counsel. Encouragingly, in the UK’s FTSE350, the majority now have CISOs reporting directly to the Board.
The CISO is responsible for ensuring the security of an organisation's information systems and data – all of which is dictated by an organisation's risk appetite. They should provide independent objective assurance to the Board that the organisation is secure, without marking their own homework. A CISO must be able to develop a practical risk management program that is aligned with the overall business goals and objectives and evangelise this plan with key stakeholders across the organisation. Today’s CISO cannot sit in a bunker within the IT operations centre and expect to achieve buy in and support for their budget, plans and activities required to keep the business as safe as is reasonably possible.
There is a quote attributed to Albert Einstein: "If you can't explain it simply, you don't understand it well enough".
If a senior leadership team thinks that cyber security is complex, then the CISO is not doing their job properly. A CISO cannot help their organisation's leadership team make an informed decision if the information they are providing is full of impenetrable jargon, acronyms and complexity.
CISOs need to convey the value of cyber security in metrics the Board understands, like time and money saved and incidents prevented. Keep the message positive, for example the number of people who identified and reported phishing emails. Don’t tell them about the type and number of tools deployed or number of applications tested. Boards want to see the impact security has had on the business itself — not just how you improved things on an operational level. Put time aside every month to collect data and success stories that show the impact cyber security has on the business.
Many Boards are still reticent to engage with CISOs or cyber security as a subject, perhaps for fear of looking unsure of themselves or uninformed. But they are used to asking questions about complex financial matters. Cyber security should be no different.
The role of the Board in Cyber
What matters to the Board is a financially viable and successful company; having safe and secure business systems is what keeps the company afloat. Technology, and therefore cyber security, is central to an organisation's prosperity and resilience. This places cyber security squarely within the remit of the Board.
New regulations such as GDPR and the Network and Information Systems (NIS) Directive, as well as the reputational damage of cyber incidents, have raised the expectations of partners, shareholders, customers and the wider public that organisations need to be well prepared, react quickly and handle incidents effectively. The senior leadership team and Board members need to get a good enough handle on cyber security.
Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services. Risk management is about informing and improving that decision-making process. What you don’t want is a compliance tick box exercise. This might get you past an audit, but will not make your cyber security, ability to respond or recover any better. In fact, it might just give you a false sense of security.
For the Board or senior business team, I suggest looking at the risk to the system as a whole and leave the individual risks to technical components to the technical team. However, governing risks to technology systems is no different to governing other business activities. You just need to use the right people, structures and processes to make sensible risk management decisions to achieve your business goals and objectives.
Remember that security is a constant requirement and there is no such thing as 100% security. The Penetration Test you had carried out 6 months ago was only valid at the time it occurred. You should aim for resilience, so do the best to stave off attacks, be effective in monitoring so you know when you are being attacked and be prepared so that you can recover quickly after an attack. As part of the risk calculation, the business needs to understand the value of the data it holds – this is a business function, carried out with the help of the cyber security team. The CISO and their team need to make it work for the people in their organisation.
Some of the key business-related questions a Board should be asking a CISO (and a CISO should be ready to answer) are:
1) What is important to the business? What are the key data assets and key systems supporting the business and are these effectively protected? What would be of value to an attacker?
2) Accepting that you can’t have 100% security, what is the agreed risk appetite? Have the appropriate resources been allocated throughout the business to meet that risk appetite?
3) What monitoring is in place to identify malicious events (attacks, data theft etc.)? Can and do staff report in when they encounter something they think looks odd?
4) Does the business encourage a good security culture and is the staff awareness program properly resourced and effectively communicated?
5) Do we have a response plan in the event of a cyber-attack? 27% of companies have no formal cyber security policy.
6) How often is the response plan tested and exercised? 72% of large companies have experienced a breach or a cyber-attack.
7) What relationships does the company have or need to develop with third party suppliers, lawyers, law enforcement and/or regulators in order to respond effectively to a breach?
8) What does the Cyber/IT estate look like in terms of numbers, links, geographic reach, age of equipment and software and what are the key vulnerabilities that need to be addressed as part of the cyber security strategy?
9) Are the security measures that are planned or have been rolled out, in line with the risks that have been identified and prioritised?
10) How are third party risks of those holding our data or having access to our systems mitigated?
The Board or senior team needs to focus on protecting the value and reputation of the company in the long run. They should not be waiting for a major incident (or two) before they take action, neither should they wait for regulation. Social media means that a company or individual’s reputation can be trashed within hours if you don’t have the plans in place to take immediate action and handle the crisis.
What does the future hold for CISOs? CISOs must become more involved in brand and reputation protection and for some, those who bring most value to the business, a seat within the C-Suite awaits.
Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.