May 24, 2016 By Fran Howarth 3 min read

The 10th annual CISO Forum, organized by Eskenzi PR, took place in April in London. It brought together a number of security vendors and security industry analysts who were able to ply a panel of leading CISOs from the U.K. with questions regarding the challenges they face and what keeps them up at night.

The CISOs represented a wide range of industries including banking, media, transport, retail and the public sector. To encourage open debate with no fear of attribution, the CISO Forum abided by the Chatham House Rule.

Whilst the discussion was wide and varied, one common theme emerged: Security is not just about technology. The role of people in all aspects of security needs to be considered.

Some Takeaways From the CISO Forum

One thing that still needs to be addressed is the role of user behavior. Several CISOs mentioned the ongoing battle against phishing, with one stating that 50 percent of all the risks faced by his organization were attributable to phishing. Users are still clicking on too may links, putting the organization at risk. Education is imperative.

CISOs can help the organizations in preparing for new regulations such as the European General Data Protection Regulation (GDPR), which will go into law in 2018. CISOs emphasized the need to consider all parts of their supply chain in these compliance efforts. Organizations that outsource to third parties are still responsible should a security breach occur, so the time to analyze those contracts is now. One CISO stated that he is currently spending 60 percent of his time with the organization’s legal team to understand the new requirements and their impact on the total organization.

The Need to Build Effective Relationships

Many CISOs agreed that while they used to have to spell out security to board members, the situation is improving. The number of breaches that have been in the news recently has helped, especially when asking for budget. As one CISO put it, “No news is bad news” in this regard. Another said, “Never let a good crisis go to waste.”

But there is still more to be done in terms of building effective C-level relationships. Security needs to be part of the business, not just a cog in the IT wheel. Technology is an enabler for the business, and security protects technology investments. Security is more than an enabler now; it is a requirement.

When asked which function CISOs should report to, there was less consensus. Some felt that reporting to the CIO was not a problem, whereas others felt that reporting to the head of risk might be the best option, especially for highly regulated industries. Where they did agree was that the CISO must become a trusted partner to the business. It is imperative that CISOs gain the trust of the board, even if they haven’t yet been granted a seat.

Only by building effective C-level relationships will the board be able to gain an overall understanding of the total risks that the organization faces. This allows them to compare the financial cost with regulatory aspects to gauge the overall business impact of a security incident.

CISOs also need to be able to gain more actionable insight from their technology tools to talk to the board and get them to understand the key risk areas. Vendors should do more to help them build a business case, yet many focus too much on the technical aspects of their offerings.

Addressing the Skills Gap

One analyst asked the CISOs whether the skills shortage was a shortage of people or of expertise. While one CISO stated that it was just a matter of paying more money to attract talent, others disagreed. One CISO said his company fills around one-quarter of security positions internally, perhaps from a more general IT role. Then the enterprise will look to recruit externally, but perhaps among those less experienced candidates who can be trained.

More universities today are focused on security and provide a fertile hunting ground for future talent. CISOs agreed that technology skills can be taught relatively easily but it is harder to find the team interaction and personal skills required. One provided the example of a woman who had worked within the organization as a personal assistant for 18 years; she was promoted to a senior security position and has been very successful, owing to the personal skills and relationships that she developed over the years.

Make Sure Everyone Is Prepared

Plans are all well and good on paper, but how will they work in practice? The CISOs agreed that it was necessary to prepare for the worst, making it imperative to test plans and perform exercises annually. Get everyone involved to ensure they are aware of their role — including third parties such as major suppliers — and combine both the physical and cyber aspects of security. It is essential to emphasize the overall impact on the business and the most important aspects for ensuring a swift recovery.

As usual, the CISO Forum was a lively event. It was interesting that although there were a number of security vendors present, the role of people rather than technology itself was a common theme. Everyone in the organization has a role to play, but CISOs must ensure that they are in the position to lead from the top so a culture of security can be driven throughout the organization.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today