DIGIT LEADERS: CISOs – Roles and Responsibilities
What is a Chief Information Security Officer? Is this a top tier position that entails many far-reaching responsibilities, or something more measured? Is there an epidemic of businesses advertising for CISOs in the hopes of covering all of their security problems? What could, and should, be expected of a ‘good’ CISO?
To find out, DIGIT spoke to three leading voices in CISO, as part of its ongoing series DIGIT Leaders.
Stu Hirst is Head of Security Systems & Infrastructure Operations at credit agency Capital One. He is fresh into his new role, having moved from Information Security Technology Manager at flight and hotel comparison site Skyscanner. Stu has spoken at and created innumerable events, including Security Scotland – a not-profit industry leader event hosted around five times a year for attendees to chat about all things protection. Stu also appeared on the keynote panels for Cloud Expo Europe 2017 and InfoSec Europe 2017.
Phil Cracknell is regarded as one of Europe’s leading information security experts. With over 28 years’ experience gained in a variety of high-profile technology and security management roles, he offers a unique insight to the world of information security, cyber-threats and risk management. He is a regular speaker at UK, Middle Eastern and European conferences. Phil served as Group Security & Risk Advisory to Arriva Plc., Advisor to the Board at Camelot UK and is currently the interim Global CISO for HomeServe Plc. He was also founder and chairman of the non-profit ClubCISO group.
Steve Gibson is the owner and Managing Director of Information and Cyber Security firm Dataweb Business Services Ltd., a business he started over 6 years ago. His primary services include corporate coaching, training and consultancy for organisations requiring help with their information and cyber security strategies. Historically, this has revolved around the adoption of ISO27001 and Cyber Essentials frameworks, but more recently activity has moved towards consulting in a CISO or DPO capacity and in GDPR readiness initiatives.
DIGIT: What areas of a typical business fall within the purview of a CISO?
Steve: “The CISO role in the UK has been adopted from the US with a fundamental misunderstanding of what a CISO is and where a CISO sits within an organisation. In the US a ‘Chief’ is a board level role (or advisor to the board) with strategic input and a close to board level salary. This is because US businesses that have a CISO have recognised the roles importance at a high level and given him a Chief title.
“The issue is that most UK businesses haven’t got a clue what ‘CISO’ means in the traditional US centric sense of the word and so they plug an information security hole and title the role CISO. This means that when you are comparing CISO’s across the UK you are not comparing apples with apples. You can’t compare a board level CISO with a department level CISO.”
Stu: “I think a CISO has an over-arching responsibility for security across the entire business. It’s one of few roles in a company where every business unit has risk that needs to be addressed. In previous roles, while I would naturally be aligned to Engineering or Technology, it wasn’t unusual to be liaising with any number of functions, be it Finance, HR, Legal, etcetera. I think this arguably explains why it is such a demanding role and one which is increasingly difficult to fill with the right talent.”
DIGIT: Do UK businesses misinterpret the responsibilities of CISOs? Is it used too often as a ‘catchall’ position where CISOs might even be forced to cover multiple responsibilities, perhaps outside of their skillset? What is the effect of this?
Steve: “I believe the biggest way in which businesses fail in their purview of a CISO is in understanding what a CISO should actually do for their business and what skill sets the individual should have in order to deliver any real benefits. This results in recruiting the wrong people, for the wrong job, for the wrong reasons.
“This can often mean that unqualified CISOs are employed or promoted to a level of incompetence, or qualified CISO’s are employed at too low a level in a role that is undervalued.”
Phil: “It’s a position that varies in mandate and remit wildly. Yes, it is a catchall for some of the ‘harder to place’ functions – BCP (business continuity planning), Cyber Insurance, Physical Security, Data Protection.
“What I also see is a lack of mandate and clear objectives. The business doesn’t empower their CISOs: they expect, like pawns, they will pave the way – do battle, push the boundary back a little and leave the controlling C-Levels unscathed.”
Stu: “Depending on the size of the organisation, you may find that a ‘CISO’ (i.e. the most senior security person in that business) is significantly further down the hierarchy. For instance, the job spec of an ‘Information Security Manager’ may actually be very similar to a much more senior, Board-level role at a larger company. It often ends with scenarios where employees with no exec-level experience, on much much lower salaries, are expected to perform at exec level in terms of influence.
“You will often find CISOs performing the roles of Data Protection Officers, Compliance Officers, or Privacy Specialists, which would naturally be individual roles in large businesses.”
DIGIT: What does undervaluing or misplacing a CISO entail for a business?
Stu: “This can be a double-edged sword. If you place an inexperienced security person at an exec level, without the skills or ability to influence at that level, it won’t work. Similarly, if you place a CISO far further down the structure in a business, you may find they get frustrated or are under-valued and under-paid for the work they are doing and the change they are effecting.
“If a company has a hacking incident which is made public, who goes in-front of the camera? Is it your CEO, who may have little security knowledge but is paid huge sums of money, or do you ask your Security Manager, who is significantly further down the chain and frankly, doesn’t get paid enough to have their career publicly scrutinised, or worse, ruined!”
Phil: “The time will come where responsibilities and accountability will require demonstration. The PRA (Prudential Regulation Authority) are already asking financial businesses if they have a cyber-security strategy, and roles and responsibilities defined. Business will no longer be able to push the CISO out ahead of them and let them handle the onslaught.”
DIGIT: Should CISOs be given a place at the ‘top table’, having a hand in all security matters of the business?
Stu: “Yes, it should be at the same level as a CTO, CFO, COO, etcetera.”
Phil: “Not without the mandate to address things, without having the CIO sit between them and the main board – that’s generally the problem today. A risk is a risk, managing it includes transfer, acceptance, avoidance – all before mitigation which includes training people, changing process, and not just buying shiny tin to address a ‘perceived’ threat.”
Steve: “Good CISOs are hard to come by, and good businesses understand this. So the best CISOs ultimately get retained or attracted to good businesses for decent reward structures. There is therefore a risk to businesses who don’t recognise a good CISO and the chances that these CISOs will seek employment elsewhere, be it in another business, industry or even country, is a real possibility.
“I think it is a bigger risk that businesses retain or recruit poor CISOs, and suffer the consequences of chronic underachievement, fuelled by lack of a clear development programs and reward structures to motivate knowledge growth internally.”
DIGIT: How can we reconcile the current landscape, if it is disjointed?
Phil: “It is how it is because we have had to accept that vendors created the initial fear, uncertainty and doubt atmosphere which got us some of the way, but then with a lack of tangible evidence, this FUD only went so far with our boards. Now they require more, vendors continue to try and guide the buyers towards threats that their products address – this is not the way for any business to operate.
“We have to focus on our own risks, as seen by mapping our business objectives and understanding what could prevent us from achieving those objectives.
“If we have to lobby a board to convince them to buy a product because of a perceived threat to our business, I would ask what we do to get them to address known risks: risks we have assessed, have impacted us before, understand in detail and can genuinely see no other way but to mitigate. Then we buy – or rather go to market to see what is there to buy – but definitely not have this whole discussion driven by one vendor from the outside. Does anyone else see how ludicrous that sounds?”
Steve: “For me a CISO will be a well-rounded individual who understands information security holistically across all business disciplines, and who also understands how information security supports the strategic planning activities within a business. They have a skill set that allows them to bridge the communication gap between senior leadership, IT and the wider operation (including HR) and the ability to communicate the information security challenges that an organisations strategy will face. There will obviously be other day to day responsibilities such as risk management, incident management, op-ex, cap-ex, training and awareness, etc. but this guy is a high-level decision maker.”
Stu: “Business needs to understand that the CISO role is still rather new in some industries and in many companies. They may have to accept that an individual doesn’t have decades of exec level experience, compared to, say, a CFO. It may be that a company has to elevate a security professional to a more senior level in a time period which wouldn’t be applicable elsewhere. Business leaders need to engage more publicly on the challenges of security within their companies and the value they place on security.”
DIGIT would like to thank Stu Hirst, Phil Cracknell and Steve Gibson for their answers on CISO roles and responsibilities.