Here’s an action list for the new Chief Information Security Officer

Written by on June 26, 2017 in Guest Blog with 0 Comments

As an industry, we now have a plethora of high profile breaches that we can point to when we discuss the impact of not taking security seriously enough. From Home Depot and Target to Sony picture and Yahoo and the list goes on.  When names like Wannacry and mirai become water cooler conversation, well that says something. If there is any upside to all this, it’s that the role of the Chief Information Security Officer (CISO) has finally been accepted at the board level.

The evolving role of the CISO

According to an article in the Deloitte Review, titled The New CISO, the more traditional role of the CISO was focused on monitoring, repelling, and responding to cyberthreats while meeting compliance requirements are well-established duties of CISO or their equivalents, and their teams.

The article continues the track that business leaders need the CISO to take a stronger and more strategic leadership role. Inherent to this new role is the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.

The CISO now has the board’s full attention, what do they share?

While CISOs want to build more effective relationships with their business counterparts, finding a shared language is not always easy.  Speaking the SINET Innovation Summit this week in New York, a group of CISOs offered practical tips for communicating with board members.

“It’s not necessary in my mind for a board conversation to have a very metrics-heavy dialogue,” said Rohan Amin, global chief information security officer for J.P. Morgan Chase & Co., during a panel discussion on cybersecurity metrics at the SINET Innovation Summit. “Things like that are completely irrelevant for a board conversation.”

“Fundamentally what the board wants to know is are you successfully executing on your program. Are the right people in place, is the right governance structure in place to really affect the program that you need,” said Boaz Gelbord, chief information security officer at Bloomberg LP.

In crafting the presentation, the CISOs should cater their message to the needs of the board, said Gary Owen, VP and CISO at Time Warner Inc. Many board members read memos from past meetings before coming into new ones, and tend to prefer a predictable rhythm. Adding unnecessary information about cyberattacks or in-the-weeds facts and figures could throw them off and lead to lots of undesired questions, he said.

“As far as what the rest of the business … sees, it has to be the same data,” J.P. Morgan’s Mr. Amin said. While a senior executive might see a simplified “key risk indicator” that summarizes the firm’s security posture, it should be derived from the same underlying data used by those farther down in the organization.

Security scorecard has some terrific tips for CISO communication

Communicating with the Board of Directors can be one of the most difficult tasks that a Chief Information Security Officer is responsible for. Whether it’s because of differing priorities, a lack of clear information, or simple indifference, a CISO can have trouble getting the Board on the same page if he or she is not properly prepared.

Like it or not, as a CISO, you must continually prove your worth to the company. Part of this is reassuring the Board that you are effectively managing the security program. This can be done in many ways:

  • Create a list of current and finished projects since the last meeting and explain how they have positively impacted the company
  • Summarize spending on the security program, with an emphasis on the return that will be obtained from these investments
  • Quantify how the company is more secure now than in the previous meeting (e.g. vulnerabilities closed, incidents resolved, fewer alerts generated, etc.)
  • Discuss future security projects which will further improve the company’s security posture
  • Remember to represent these accomplishments in terms of value added, money saved, threats averted, and so on, instead of simply showing a list of remediated vulnerabilities. An explanation of “Project X avoided $5 million in losses” is more effective than “Project X implemented HTTPS encryption on production data,” since the Board won’t understand the implications of that technically-explained risk.

The main takeaway here: it is important to keep your discussions brief and at a high-level, because you don’t want to lose board members’ interest with technical details. Have a small packet available with more in-depth information on each project in case they want to review it further.

More on Cetusnews or here for more SecurityScorecard tips.

This article was first published on CyberSec.Buzz.

Tags: , , ,

About the Author

About the Author: Jonathon has been lurking around the Telecoms and Internet space for the last 20 years. He is now a man on a mission – that being the reformation of the Industry Analyst business. He is working with his co-conspirators on transforming the Industry Analyst world forever as an Expert with EMI. .


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: