The board needs to understand security in the way that it once did finance.
Speaking at the Financial Services Information Security conference in London, CISO Paul Swarbrick said that despite the CISO often being the third best paid executive behind the CEO and finance director, it needs to be its own entity within the business.
“It is not a subset of IT or corporate security, it is a thing of its own, and we cannot take it for granted that it is moving forward,” he said.
“We can be the elephant in the room, as information is not same as IT and senior management have no understanding of cyber security and in the past, would we not tolerate having a CEO who knows nothing about finance, but are we at the point of maturity to expect a basic knowledge of security.”
Swarbrick said that we are not at a stage of maturity where board members understand security and while as security professionals we are not asking to them to understand how to implement it, but security is important as balancing the books.
“Yet many have no understanding of what we do and one of biggest risks is the ignorance of security, and we need to pick that skill up,” he said.
“Still there are organisations who think of people doing nothing, and we need to educate on what we do and how we fit into organisation and my travels have taken me to many organisations but the most successful were where management was prepared to listen and sadly, quite a few will sit there and hear the words but not the message and many think of us sitting asleep in a room.”
He said that the option is to “hang in there” or go and work for an organisation who appreciates your skills. “My advice is take [the right job] and do not tolerate mediocrity and if you are not appreciated, find one that does.”
Swarbrick later said that the onus is on the security professionals to feed information into the board, but it has to be a joint responsibility to understand these things and while the management had no idea on profit and loss, industry had forced them to modernise.
He said: “My challenge is ‘are we mature enough as an organisation to challenge for the same level of competence’. Has privacy risen to be a powerful part of the agenda for senior management to understand the basics?”
He concluded by claiming that it comes down to the maturity of the organisation, as often the board are interested once and not again, but as IT has worked out that it needs board level support and it is now at the crux of recognition, and boards understand it.
