July 23, 2014 By Christopher Burgess 2 min read

Ensuring the security, availability and authenticity of the various data sets that a company creates or is entrusted with by its partners and customers should be top-of-mind for a chief information security officer (CISO) focused on cyber security risk. It’s a broad brush indeed, and for many smaller companies, a CISO is a luxury that they simply cannot afford. However, this does not obviate the need to have the CISO’s responsibility and accountability fall within the remit of a senior company executive.

Cyber Security Risk

That said, does the role of the CISO require technical or business acumen? In the recent keynote address at SC Magazine’s Toronto Congress, IBM’s Global CISO Joanne Martin highlighted the need for information technology professionals to be prepared to deliver actionable insights into threats to their respective company’s leadership and boards. According to Martin, at IBM, the top cyber security risks identified by her team are security risks that accompany the continued use of machines that use Windows XP, as it remains embedded in parts of IBM’s systems. Microsoft ceased to provide support to Windows XP on April 8, 2014.

Crown Jewels

Couple the Windows XP migration effort with the continued avalanche of breaches affecting customers, patients and company internal data, and every CISO has his or her hands full. These issues aren’t the type that executives and boards of directors sit with quietly. Boards of directors have sat up and noticed as more and more companies have been pilloried following a breach or cyber security incident that puts customers, partners or the company itself at risk.

When the existence of a cyber security risk has been recognized by the board, the CISO is asked, “Do you know what constitutes the ‘crown jewels‘ to the company and what the damage will be to the company should they be lost, stolen or otherwise compromised?” Crafting a cyber security risk mitigation strategy to protect data is a challenge, and it is important to know where the most valuable information lies. If you are a new (or established) CISO and don’t have this answer, you now have your task.

Malicious Code and Sustained Probes

For those who have followed the prognostications in the annual security reports issued in the first half of 2014, CISOs are facing two major types of incidents within the cyber attack continuum: malicious code and sustained probes. These are the same issues identified in IBM’s annual report issued in July 2013. The challenge for CISOs will be processing the extraordinary amount of data fed to them from the near-constant probing of their company’s infrastructure while also maintaining a level of service to their constituency to conduct unimpeded business. The reality is that, once penetrated, the more advanced entities will burrow deep into the infrastructure in hopes of a long-term engagement via a snatch-and-grab compromise. Therefore, the challenge for the CISO will not only be monitoring the outside coming in, but also the inside going out and any anomalous activities within the intranet of the company.

Overall, the role of CISOs is a mixed bag of skills. They need to earn their place at the leadership table. This is possible through their successful ability to articulate business risks and execute mitigation methodologies designed to address those risks. While CISOs may always be focused on creating solutions that assure the security, availability and authenticity of the company’s data and “crown jewels,” their measure of success will be evidenced by the continued trust of the company’s partners and customers.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today