Skip to main content

Getting cybersecurity to the top of the boardroom agenda

(Image credit: Image source: Shutterstock/jijomathaidesigners)

The IT industry has undoubtedly shone a bright light on the role of the Chief Information Security Officer (CISO) this year; the increasing responsibility and heightened risks associated with the role and the fact that no organisation appears to be safe from a data breach has given the role a new purpose and place within the structure of a business.

CEOs, Boards of Directors and Trustees are now realising how fatal cybersecurity failures can really be. In reality, a major data breach will ruin not only an organisation’s reputation, damage its brand and future prospects or plans, but also have serious consequences on the bottom line. When a breach occurs, and the data of customers, partners, employees or even the general public, is compromised, hard decisions need to be made - and fast. How can a CISO put cybersecurity at the top of the Board’s agenda BEFORE a breach occurs - and make it stay there?

The new CISO mindset

Despite the risks that the role now has a reputation for, numerous organisations are starting to see the value of employing someone to specifically deal with the increasingly sophisticated cyber threats, either because they have the right Information Assurance (IA) mindset - focusing on protecting data rather than the network - or because of the increasing pressures around compliance, risk and governance.

In the past few years, the role of the CISO has left behind its traditional responsibilities and core tasks of specifically developing, deploying and maintaining an information security programme, serving to protect all of the data stored and processed by a business, morphing into a much more integral role of identifying risk across the entire business and raising awareness to employees of the damage a data breach can cause. Additionally, the role now has a direct reporting line to the Board of Directors rather than a CIO or CTO, extending visibility and accountability - meaning the CISO has become part of the wider business picture, rather than operating in a silo.

Qualities fit for the role

Whilst no two CISO’s will be the same, there are certain characteristics that are essential for a CISO to possess. Diligence, attention to detail and being risk aware of threats not just to the role, but of the entire organisation and industry, are just three of the main vital characteristics; coupled with the ability to make quick, informed decisions using all of the information available. Additionally, new threats need to be identified and new protocols put in place, all of which needs to be consistently managed and maintained to keep up with the evolving threat landscape. It’s certainly not an easy task - but it’s vital to the running of any organisation’s success.

On top of this, being an excellent communicator and understanding various audiences is also key; explaining the threats or solutions to a non-technical Board won’t get a CISO very far - and having the Board on side with cybersecurity efforts is essential. The Board wants to hear about the financial implications, so shying away from the possibilities won’t get a CISO very far. Instead, a CISO needs to be able to communicate clearly, removing tech jargon that really isn’t applicable to ensure the Board of Directors are fully aware that cyber risk now has fiduciary implications and therefore needs to be given the time and attention it deserves. It’s no longer good enough for cybersecurity to be ignored or only briefly discussed in a Board-level meeting - the entire organisation needs to be aware of the risks posed and the precautions and solutions in place.

Information assurance rather than network security

Technology decisions are vital for ensuring the organisation is secure; with numerous attack techniques in existence that have the ability to not only infiltrate, but destroy an organisation’s network, it is critical for organisations to think about IA, which focuses on the data, rather than security, which focuses on the network. We only need to look at the vast number of data breaches that have occurred - and continue to occur - to understand that no organisation is safe from a data breach. By understanding the sensitivity and risk of data compromise, the CISO is able to focus on technology decisions that protect the data itself and not just the network the data runs over. Put simply: when the network is compromised, it is data that is put at risk - and we all know the consequences this can have - so protecting data is no longer just an ‘option’, it’s essential.

Additionally, the need to separate roles in an organisation into discrete functions is imperative; ‘Separation of Duties’ (as it is known) removes the cross-contamination of roles, which therefore increases accountability, reduces error potential and removes the potential for non-essential personnel to access the security configuration of network devices. This separation of duties also needs to be extended to the technology itself, by adopting an overlay security posture, allowing both flexibility and agility to be extended across all networks whether owned or not, whilst ensuring zero impact to the security posture when the network is changed or compromised. Every CISO should understand how fundamental this is - and every CISO needs to be able to communicate this to the Board.

Getting the whole organisation on board

Whilst the correct security mindset must start at the top, in reality, it also needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. If the entire organisation is aware of the risks faced, and the part each department and each employee plays in keeping the organisation’s data secure, the business itself will be far better prepared for any risk faced. The responsibility of securing the entire organisation’s network sits with the CISO, but the catastrophic risks of a cybersecurity failure means that it must be given consideration by the entire Board and become a top priority in meeting business objectives. It really is that simple.

Paul German, Sales, Certes Networks
Image source: Shutterstock/jijomathaidesigners