The 10th annual CISO Forum, organized by Eskenzi PR, took place in April in London. It brought together a number of security vendors and security industry analysts who were able to ply a panel of leading CISOs from the U.K. with questions regarding the challenges they face and what keeps them up at night.
The CISOs represented a wide range of industries including banking, media, transport, retail and the public sector. To encourage open debate with no fear of attribution, the CISO Forum abided by the Chatham House Rule.
Whilst the discussion was wide and varied, one common theme emerged: Security is not just about technology. The role of people in all aspects of security needs to be considered.
Some Takeaways From the CISO Forum
One thing that still needs to be addressed is the role of user behavior. Several CISOs mentioned the ongoing battle against phishing, with one stating that 50 percent of all the risks faced by his organization were attributable to phishing. Users are still clicking on too may links, putting the organization at risk. Education is imperative.
CISOs can help the organizations in preparing for new regulations such as the European General Data Protection Regulation (GDPR), which will go into law in 2018. CISOs emphasized the need to consider all parts of their supply chain in these compliance efforts. Organizations that outsource to third parties are still responsible should a security breach occur, so the time to analyze those contracts is now. One CISO stated that he is currently spending 60 percent of his time with the organization’s legal team to understand the new requirements and their impact on the total organization.
The Need to Build Effective Relationships
Many CISOs agreed that while they used to have to spell out security to board members, the situation is improving. The number of breaches that have been in the news recently has helped, especially when asking for budget. As one CISO put it, “No news is bad news” in this regard. Another said, “Never let a good crisis go to waste.”
But there is still more to be done in terms of building effective C-level relationships. Security needs to be part of the business, not just a cog in the IT wheel. Technology is an enabler for the business, and security protects technology investments. Security is more than an enabler now; it is a requirement.
When asked which function CISOs should report to, there was less consensus. Some felt that reporting to the CIO was not a problem, whereas others felt that reporting to the head of risk might be the best option, especially for highly regulated industries. Where they did agree was that the CISO must become a trusted partner to the business. It is imperative that CISOs gain the trust of the board, even if they haven’t yet been granted a seat.
Only by building effective C-level relationships will the board be able to gain an overall understanding of the total risks that the organization faces. This allows them to compare the financial cost with regulatory aspects to gauge the overall business impact of a security incident.
CISOs also need to be able to gain more actionable insight from their technology tools to talk to the board and get them to understand the key risk areas. Vendors should do more to help them build a business case, yet many focus too much on the technical aspects of their offerings.
Addressing the Skills Gap
One analyst asked the CISOs whether the skills shortage was a shortage of people or of expertise. While one CISO stated that it was just a matter of paying more money to attract talent, others disagreed. One CISO said his company fills around one-quarter of security positions internally, perhaps from a more general IT role. Then the enterprise will look to recruit externally, but perhaps among those less experienced candidates who can be trained.
More universities today are focused on security and provide a fertile hunting ground for future talent. CISOs agreed that technology skills can be taught relatively easily but it is harder to find the team interaction and personal skills required. One provided the example of a woman who had worked within the organization as a personal assistant for 18 years; she was promoted to a senior security position and has been very successful, owing to the personal skills and relationships that she developed over the years.
Make Sure Everyone Is Prepared
Plans are all well and good on paper, but how will they work in practice? The CISOs agreed that it was necessary to prepare for the worst, making it imperative to test plans and perform exercises annually. Get everyone involved to ensure they are aware of their role — including third parties such as major suppliers — and combine both the physical and cyber aspects of security. It is essential to emphasize the overall impact on the business and the most important aspects for ensuring a swift recovery.
As usual, the CISO Forum was a lively event. It was interesting that although there were a number of security vendors present, the role of people rather than technology itself was a common theme. Everyone in the organization has a role to play, but CISOs must ensure that they are in the position to lead from the top so a culture of security can be driven throughout the organization.