Magazine Button
Digital Shadows expert on putting the ‘chief’ in ‘CISO’

Digital Shadows expert on putting the ‘chief’ in ‘CISO’

Deep DiveEnterprise SecurityTop Stories
Rick Holland, VP Strategy and CISO, Digital Shadows offers his recommendations for empowering CISOs

By Rick Holland, VP Strategy and CISO, Digital Shadows

We should all applaud the fact that the position of Chief Information Security Officer has caught on in recent years. It’s made it clear where the buck for security stops, instead of it being lumped in under a generic IT director or CIO.

But all CISOs are not created equal in my 20+ experience of being one and having advised them as a security analyst for Forrester Research. Sad to say, in many cases, there is nothing ‘chief’ about them, and they are executives in title only.

To be successful and to be taken seriously by their other c-level peers, Chief Information Security Officers (CISOs) need a different approach. Now that I am a CISO myself and spend even more time with my peers, I find that many CISOs are actually ‘cISOs’. After years of seeking to be elevated to the c-suite and get in front of the board, now given the opportunity, many CISOS are struggling with the transition.

Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital ‘C’.

  1. Understand how your business generates revenue. To operate as an actual ‘chief’ you must spend time talking to line-of-business leaders to understand how your company truly operates. With knowledge of how the business generates revenue and the people and technology involved, you can model how insiders, external adversaries and competitors might disrupt your operations. You can then map out the appropriate security controls to minimise the implications and build resilience into your programme
  2. Understand your business risks and how to mitigate. If you work for a public company, take the time to review your company’s annual report to shareholders. Inside, you’ll find a wide-ranging list of risks to the business – from supply chains and weather to geopolitics. Privately held companies have a risk governance committee maintaining a similar list. Even if cyber-risk isn’t explicitly called out, a full-fledged CISO will take the time to understand these business risks, map them to the cyber-domain and then determine how best to mitigate them
  3. Make the most of your board presentation. As a member of the c-suite, you now have an opportunity to present to the board. You need to understand what they want to know, and you need to communicate that information effectively. As a first step, develop a relationship with a board member that you can develop into a board mentor

This mentor can give you guidance on how to interact with the other board members. Some board members will be more technical than others, but don’t let that pull you back into your comfort zone of technical jargon. Use analogies business leaders can recognise to ensure you’re communicating in a way that is meaningful to all of them. I frequently use film and television analogies to convey key concepts; find the illustrations that work best for you.

Now that you’ve laid the groundwork for a successful board presentation, what specific metrics should you report on? Keeping in mind that you have a finite amount of time to present and you don’t want to over-complicate the message, I suggest you focus on the following areas:

  • Report on the programme’s overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board – for example, that the organisation is at 60% maturity based on the framework. This gives them confidence that you are working within a recognised structure and have a solid grasp of what the trend looks like
  • Proactively control the narrative so as not to be seen exclusively as the bearer of bad news. Look for a ‘front page of the news’ win to highlight, like a NotPetya or a WannaCry type of global event. Explain how the risk was relevant to your business and what your team did to mitigate risk
  • Provide overall metrics on trends. There is nothing more relevant than using your data to frame a high-level discussion about what incidents looked like during the reporting period. Specific metrics might include – if incidents are trending up or down and the cause, how many incidents you are dealing with and how long it takes to identify an intrusion and remediate and recover. Again, remember to stay away from acronyms and jargon.
  • Report on the top three risks you are focusing on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO. Some examples that could be germane to your business:
    1. The sales and marketing department is migrating from an on-premises customer relationship management system to a software-as-a-service equivalent and you are working on managing the risks associated with the migration
    2. Planned merger and acquisition activity requires that you focus on preventing the financial details from getting into the hands of a competitor or threat actor
    3. The business is launching a new product that will account for 30% of net new revenue in the following year and you need to protect your intellectual property

At a future board meeting, close the loop and report back on how the security and risk organisation helped enable the success of strategic business activities you are involved in protecting.

What do I think are the issues that CISOs need to be on top of right now? Here’s my top five:

  • Much has been said about this already but CISOs should be very wary of thinking they have met the end of May deadline and awarding themselves a slap on the back. The hard work starts now. Firms may think they are compliant but, in truth, GDPR is so far-reaching that many will not be. The ICO could be waiting on a test case to levy the €20m /4% of global turnover fine – don’t let it be you
  • Recruiting and retaining staff. I think the ‘cybersecurity talent shortage’ is a self-fulfilling prophecy – go and find the talent and nurture it if necessary. UK universities are awash with cybersecurity talent and the country is in the top tier globally for developing expertise in this area
  • Third party risk. Digital Shadows discovered how third parties are exposing information that can provide highly valuable to sophisticated actors with 545 SAP configuration files publicly exposed on misconfigured systems. This is just one example – third parties such as contractors and suppliers are often the weakest link and can leak important company secrets. Firms need to get much better at managing this
  • Cloud security. In April, Digital Shadows found 1.5 billion business and consumer files exposed online. Many of these were on cloud services such as Amazon S3 buckets. The issue isn’t that cloud services are inherently insecure, oftentimes they are misconfigured. It’s vital therefore that CISOs ask awkward questions of the those responsible for managing cloud services and make sure they have all the training that they need
  • National security. All CISOs need to track geopolitical and national security issues. Threat actors that are suspected of being affiliated with nation states are among the most capable. They can, and they do, steal intellectual property as well as disrupt organisations that are deemed to be in their national interests. As we have seen with EternalBlue, what starts off as a nation state tool can quickly become subverted and used for other ends by other cybercriminal groups. Keeping an eye on the national picture can give us a clue as to what will hit the ‘mainstream’ later on

As a CISO, you have the opportunity you’ve longed for – to work closely with your peers at the c-level and interact directly with the board with the aim of demonstrating value to the organisation and buy-in for new initiatives. By putting knowledge of the business and risks first and understanding how and what to communicate to the board, you can transition successfully.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive