Following our look at the common prediction trends for 2015, and identifying both major flaws and expanding ransomware as trends worth looking at, the next timely trend looks at the boardroom.
Today, research of the FTSE 350 by PwC found that 88 per cent say that cyber security is on the board’s agenda, yet only 29 per cent of companies thought cyber was a “top risk”. So perhaps strides are being made forward in terms of getting the board’s attention, or perhaps CISO can thank a greater focus on the CIO and headlines surrounding Target, ebay and Sony Pictures
So after a year where security was very much in the spotlight, is this year set to be a step forward for security in the boardroom? Nicholas J. Percoco, vice president of strategic services at Rapid7, claimed that in 2015, CISOs will spend 100 per cent more time with their boards and executives than previously.
“With the number of high profile data breaches announced in 2014, board members and senior executives will seek more clarity and assurance that their company’s security programmes are aligned for success,” he said. “In 2015, we’ll see more time for CISOs in the board room presenting metrics and relevant data points to highlight security programme effectiveness. CISOs will be seen spending more time outside of compliance and regulators discussions and more time focusing on mitigating actual risks to data loss.”
Likewise. Rajiv Gupta, CEO of Skyhigh Networks claimed that as security breaches are no longer the sole responsibility of the CISO, especially with the Target fallout proving that CEOs are also being held to account, he expected CEOs to develop closer and better working relationships with the CISO in the next twelve months.
He said: “Whether it’s in negotiating security budgets, managing risk, or briefing the board of directors – I’d go so far as to say that the two will be joined at the hip in many organisations next year.”
So the board room is taking notice. It is still a sweeping statement to say that all boardrooms and CEOs are interested in cyber security, but the Target situation should show how the top of a company can be impacted by something supposedly dealt with by those in the basement.
Rob Lay, solutions architect for enterprise and cyber security, UK & Ireland for Fujitsu said that security should be more of a business than IT challenge, as it sitting outside of the IT department isn’t something which businesses should be worried about, in fact it represents a positive change.
He encouraged businesses to develop an enterprise security model that is flexible and can change as the IT environment, and threat landscape change around it. “In order to do this, and ensure that security efforts are focused in the right areas, businesses should ensure that their security model places risk management at the centre,” he said. “This way the business can assess and prioritise its enterprise security efforts in the way which will best benefit the business.”
So how will this change come about? After all, the change is partly down to the CEO adopting security, and partly also down to the CISO being adaptable to work at
the board level. Mark Barrenechea, CEO at OpenText, said that one way is the emergence of the chief data officer and the chief digital officer. He predicted that these two C-level roles will find themselves at the executive table as the enterprise is guided on its journey to digital transformation.
“While their roles are unique, both will focus on the strategic importance of information in a digital economy,” he said. “The chief digital officer will be the executive advocate for the digital customer and will emerge to oversee both the strategy and the technology for a seamless and satisfying digital customer experience. According to Gartner, 25 per cent of businesses will have a chief digital officer by the end of 2015.
“The chief data officer will emerge as the executive advocate for data management – using the exploding volumes of data and analytics to improve decision making and identify new revenue opportunities. Across the organisation, every function will want access to data and insights about their operations. The chief data officer will make this possible by optimising the management of data (integrating, deploying, securing, governing) and mobilising their organisation around an Enterprise Information Management (EIM) strategy.”
So; new interest and new jobs, it all sounds pretty positive. Remove the threats altogether and you have no real problem right? To round off, I got some interesting comments regarding risk and the changes there.
Jason Polancich, founder and chief architect of SurfWatch Labs, said that there will be a renewed focus in the practice of risk management, but this is more for cyber risk than cyber threats. He said that the security industry continues to focus on identifying threats, and this mind set needs to shift as cyber threats represent an overwhelming flood of data that is hard to correlate.
“Organisational cyber risk (not threats) must be quantified and assigned a process for inventorying, monitoring and mitigating,” he said. “While admittedly a little pie-in-the-sky, I do believe organisations will start to realise this and consider detailed risk management programs for their cyber risk.”
The consistent theme of these predictions seems to be that there is an interest from the whole organisation, and security is not confined to the IT or security (or both) team. Obviously this is something that is different from company to company, and a hard one to prove whether it worked or not, but if security reaches the upper echelons of the top global businesses then maybe there will be more hiring, more money spent and better success for all.
Join our next webcast, taking place at 3pm GMT on Thursday 22nd January where we will discuss effective spending to help defend against modern threats. We will be joined by Bromium’s Ian Pratt, CISO Paul Swarbrick and the Information Security Forum’s Steve Durbin – https://www.brighttalk.com/webcast/11399/140339