May 24, 2016 By Fran Howarth 3 min read

The 10th annual CISO Forum, organized by Eskenzi PR, took place in April in London. It brought together a number of security vendors and security industry analysts who were able to ply a panel of leading CISOs from the U.K. with questions regarding the challenges they face and what keeps them up at night.

The CISOs represented a wide range of industries including banking, media, transport, retail and the public sector. To encourage open debate with no fear of attribution, the CISO Forum abided by the Chatham House Rule.

Whilst the discussion was wide and varied, one common theme emerged: Security is not just about technology. The role of people in all aspects of security needs to be considered.

Some Takeaways From the CISO Forum

One thing that still needs to be addressed is the role of user behavior. Several CISOs mentioned the ongoing battle against phishing, with one stating that 50 percent of all the risks faced by his organization were attributable to phishing. Users are still clicking on too may links, putting the organization at risk. Education is imperative.

CISOs can help the organizations in preparing for new regulations such as the European General Data Protection Regulation (GDPR), which will go into law in 2018. CISOs emphasized the need to consider all parts of their supply chain in these compliance efforts. Organizations that outsource to third parties are still responsible should a security breach occur, so the time to analyze those contracts is now. One CISO stated that he is currently spending 60 percent of his time with the organization’s legal team to understand the new requirements and their impact on the total organization.

The Need to Build Effective Relationships

Many CISOs agreed that while they used to have to spell out security to board members, the situation is improving. The number of breaches that have been in the news recently has helped, especially when asking for budget. As one CISO put it, “No news is bad news” in this regard. Another said, “Never let a good crisis go to waste.”

But there is still more to be done in terms of building effective C-level relationships. Security needs to be part of the business, not just a cog in the IT wheel. Technology is an enabler for the business, and security protects technology investments. Security is more than an enabler now; it is a requirement.

When asked which function CISOs should report to, there was less consensus. Some felt that reporting to the CIO was not a problem, whereas others felt that reporting to the head of risk might be the best option, especially for highly regulated industries. Where they did agree was that the CISO must become a trusted partner to the business. It is imperative that CISOs gain the trust of the board, even if they haven’t yet been granted a seat.

Only by building effective C-level relationships will the board be able to gain an overall understanding of the total risks that the organization faces. This allows them to compare the financial cost with regulatory aspects to gauge the overall business impact of a security incident.

CISOs also need to be able to gain more actionable insight from their technology tools to talk to the board and get them to understand the key risk areas. Vendors should do more to help them build a business case, yet many focus too much on the technical aspects of their offerings.

Addressing the Skills Gap

One analyst asked the CISOs whether the skills shortage was a shortage of people or of expertise. While one CISO stated that it was just a matter of paying more money to attract talent, others disagreed. One CISO said his company fills around one-quarter of security positions internally, perhaps from a more general IT role. Then the enterprise will look to recruit externally, but perhaps among those less experienced candidates who can be trained.

More universities today are focused on security and provide a fertile hunting ground for future talent. CISOs agreed that technology skills can be taught relatively easily but it is harder to find the team interaction and personal skills required. One provided the example of a woman who had worked within the organization as a personal assistant for 18 years; she was promoted to a senior security position and has been very successful, owing to the personal skills and relationships that she developed over the years.

Make Sure Everyone Is Prepared

Plans are all well and good on paper, but how will they work in practice? The CISOs agreed that it was necessary to prepare for the worst, making it imperative to test plans and perform exercises annually. Get everyone involved to ensure they are aware of their role — including third parties such as major suppliers — and combine both the physical and cyber aspects of security. It is essential to emphasize the overall impact on the business and the most important aspects for ensuring a swift recovery.

As usual, the CISO Forum was a lively event. It was interesting that although there were a number of security vendors present, the role of people rather than technology itself was a common theme. Everyone in the organization has a role to play, but CISOs must ensure that they are in the position to lead from the top so a culture of security can be driven throughout the organization.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today