The CISO in 2014: Security Strategies for Building Confidence and Trust Amidst Uncertainty

I recently hosted a fascinating panel discussion with three of Europe’s top Chief Information Security Officers (CISOs). I was joined on a live webinar by Norway-based EVRY CISO Kaare Bjørn Martinussen; Paul Hyland, CISO for the Ireland-based Ardagh Group; and Carles Sole Pascual, information security director of Spain’s CaixaBank. This interactive discussion focused on today’s hottest security topics and what was top of mind with these CISOs in 2014. It was interesting for me — and I hope for our audience — to hear their unique insights about the specific challenges and the innovative ways their organizations are approaching today’s evolving threats.

The Changing Role of Today’s CISO

IBM has been doing some interesting work in recent years looking at the evolving role of the chief information security officer. We started that work in early 2012 when we published our “Feeling the Pressure” paper, in which information security leaders shared insights into how they were reinventing the role in the face of accelerating industry change.

We followed this work with our 2012 CISO Assessment, where we looked in detail at more than 130 CISOs from around the world to gain deeper insight into this evolving role. In 2013, we continued this work with a further in-depth assessment interviewing senior security leaders before publishing this latest paper, “A New Standard for Security Leaders.” The report focused on three areas: Business practices, technology maturity and measurement capabilities. Three strong recommendations emerged:

  • Actively build trust at the C-level while broadly communicating an explicit security strategy.
  • Invest in mobile security and advanced technology to directly support the business.
  • Focus on the overall economic impact of risk.

Three Topics That Are Top of Mind for Chief Information Security Officers

With this backdrop, our expert panel discussed a number of key topics: The threat landscape, the role of the CISO, compliance and regulation and investments and priorities for 2014. What really stood out is how fast the landscape is changing, and as I reflect on the discussion, I would posit that there are three main take aways for every CISO:

  1. Organizations are being forced to plan and review far more frequently, from quarterly to monthly. There was far more consistent communication up the chain by the panelists — they don’t just sit in the background. They must, and regularly do, talk to the business; they are “in their face,” as it were. This better engagement with the business leads to budget buy-in and better business alignment. It is important in security discussions to be open but also correct. Accuracy is important; stay factual, otherwise credibility suffers.
  2. From a technology standpoint, there was considerable discussion about the need for improved forensics. However, there is still much work to be done to understand what kind of forensics and data are needed. Now and in the future, what do we need to collect on a daily basis?
  3. One other particularly interesting insight was the move by one of the panelists from a 27001/2 stance towards a PCI mindset. It would be interesting to see whether other organizations are thinking the same way and get deeper into the benefits of such an approach.

These insights fuel the need for further discussion and debate, and I look forward to the next in our series of CISO webinars next quarter. On-demand playback for the webinar is live and can be accessed here.

Insights from the 2013 IBM Chief Information Security Officer Assessment

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…