What CISOs want in 2016
The role of the Chief Information Security Officer (CISO) has developed rapidly over recent years. Ten years ago, it was rare even to find someone fulfilling the CISO role in an organisation; security was often viewed by senior management as a technical subject best left to the IT department.
Not any more. Security has achieved much greater attention in the world’s boardrooms, and CISOs are expected to be able to communicate complex technical situations in terms that their senior management can grasp, and use to shape their decision-making.
In order to test the current state of the CISO role, and to explore their biggest challenges, IT Security Guru gathered together a dozen CISOs from some of the UK’s biggest organisations and asked them to submit to questioning by a group of leading security vendors and industry analysts.
The event, which was the 10th IT Security Analyst & CISO Forum, took place in April in London. To encourage openness, Chatham House rules applied, meaning that the individuals involved would not be named. Suffice to say that the CISOs came from a wide range of industries including banking, insurance, telecoms, pharmaceuticals, distribution, e-commerce and the public sector.
Here is a taste of some of the subjects covered…..
Managing risk in the cloud
As most of the assembled CISOs agreed, modern boards of directors need no convincing of the need for security, and are comfortable dealing with the concept of risk management.
But the increased use of outsourced services – from contractors, consultants and especially cloud service providers – has massively complicated the task of risk management. How do you ensure that security procedures are adequate at all points of the supply chain, particularly where your contractor is sub-contracting some of the work to other companies?
The standard approach includes asking suppliers to complete a questionnaire covering their security. But as one CISO from e-commerce commented: “It’s hard to deal with cloud service providers. The very big ones will not change what they do to fit in with you. And at the other end of the scale, the one-man band doesn’t have the resources to handle a 200-page questionnaire about his security procedures.”
Another said he focused on his most important tier-1 suppliers and emphasised the need to build a strong relationship with them over time to build confidence, and to ensure they are enforcing good security down the supply chain.
The general consensus was that this remained a difficult task.
And how to explain risk to the board?
Communicating this complexity of risk to the board in a succinct and understandable form is a challenge in itself. Most of the CISOs used a red/amber/green coding to denote areas of high and low risk, but recognised this was a fairly crude device which required some explanation to put it into context.
“The colour coding is a good psychological construct. If something is red, then it makes people stop and think,” said one of them. “A bit like Twitter, I limit myself to 200 characters to explain each risk item. The explanation of any risk needs to show trends: is the risk rising or falling, and also how long has it been happening? Management can then dip in if they need more detail.”
Clearly, any assessment of risk needs to take account of the organisation’s appetite for risk. For example, a CISO from the aerospace sector said failure was not acceptable in his organisation and so all systems had to be locked down and, where possible, disconnected from the Internet. Others such as finance were required to meet regulatory compliance. Others could afford to be less risk-averse. In all cases, however, accurate reporting was necessary to allow management to make informed decisions about their business.
One CISO pointed out the need for complete honesty about risks and threats. “We sometimes make a rod for our own back if we try to promise complete security all the time. We can never remove risk altogether.”
To which another CISO quipped: “If they want zero risk, then give us infinite budget!”
Security products – a mixed blessing
The vendors present at the debate were keen to quiz the CISOs about what they were looking for, and how they went about choosing products.
The questions provided the CISOs with a cathartic opportunity to vent their frustrations at cold callers, and salesmen who failed to get to the point quickly or really listen to the needs of the customer. “Don’t spend the first 15 minutes of the meeting telling me how important security is – we know that!,” said one.
“Listen,” said another. “Listen to our problems, understand our business and our priorities. We need technology to help us do our jobs, but please don’t make claims that are not true. Don’t walk in saying ‘Here’s the solution – what’s your problem?’”
Most CISOs said they were looking for technology partners to work with over the longer period, not just a product. Many complained that a lot of products were “ just fluff” and could not be relied on.
One CISO from the public sector explained that even if he wanted to acquire a security product, he still had to convince other stakeholders in his organisation. “I have to go and sell it to the network group, the server team and others. And if the operations teams don’t like it, they just won’t use it,” he said. “I need help from the suppliers in order to sell the product to my various departments.”
CISOs also raised the problem of interoperability between products and asked the vendors to give more thought to creating common interfaces. However, as one vendor responded: “If we had to get certification for all the platforms on the market, we’d be out of business.” So not much hope of that happening any time soon.
For many CISOs, however, it made more sense to buy a suite of products from a single supplier, even if each of the components were not necessarily the best in class, instead of trying to make different products work together.
Taking on the CISO role and building a team
Asked about how they approached taking on a new position as CISO, most of those present said it was important to establish reporting lines from the start. “Get management buy-in from the start and confirm your budgets. If they want you to report to the head of IT, then walk away,” said one. “It won’t work if they think security is an IT problem. You need to be part of the business, not a cog in the IT wheel.”
All of them emphasised the soft skills required to make a success as a CISO. “You need to build relationships with managers from the rest of the organisation very early on,” said the CISO from the aerospace sector. “The CISO should be able to look beyond IT and feel free to knock on any door. You need to build your personal brand in the rest of the organisation.”
Another said it was essential to gain a rapid understanding of the company’s infrastructure, in order to establish its security needs, and then to build a security steering committee with representation from across the organisation.
As for building up the security team, all the CISOs had different experiences. In the e-commerce sector, the CISO had built his team from scratch, whilst others had walked into organisations where the security culture was already established. However, all agree that there was a general shortage of available and well-qualified staff.
One overcame the problem by using his personal network of contacts to recruit team members. Another, working in a bank, recommended recruiting from within the organisation and training people for the role. “Technical skills can be taught, but you need people with right business experience and personal qualities,” he said. “We promoted a woman who’d been a PA for 18 years and she has been very successful. She knows everyone in the business and is confident in dealing with any of them.”
Biggest concerns/ priorities
* Regulations New regulations for many appear to take up a lot of time and effort. “We have to look at all areas when regulations change, and that can flow out to all departments, such as legal, and down through to third-part suppliers,” said one CISO working in telecoms.
Several others echoed that view, saying that as new third-party suppliers were taken on, security profiles had to be reassessed in the light of regulatory compliance.
Of major concern is the newly signed EU General Data Protection Regulation (GDPR), which comes into force in the UK in 2018. It introduces mandatory notification of data breaches and potential fines of up to 4% of a company’s world-wide revenues for serious non-compliance. “This has certainly got a reaction and has galvanised senior management into action,” said one CISO.
Another suggested it was a good opportunity for third-party suppliers to play their part and help their customers comply by adjusting their procedures to meet the new regulation.
* Cyber drills Most CISOs did regular exercises to test aspects of security and to boost security awareness in their organisations. These could range from table-top exercises to a full-blown simulation of a major data breach. As one CISO expressed it: “We know that a breach is going to happen, so always have to prepare for the worst and ensure we can handle it.”
* Targeted phishing attacks – Getting users to resist clicking on dodgy emails has been a constant problem, and it shows no sign of going away. All the CISOs expressed frustration but conceded that some of the new targeted phishing emails were cleverly crafted and were hard to spot. “It probably accounts for about 50% of our problems,” said one.
* Mobile users – the commoditisation of IT, and the rise of mobile users with their own devices, is another constant headache. For one CISO working in pharmaceutical, the challenge was to develop more safeguards and controls for users working away from the main corporate network. For another the problem was merely technical: “I want MDM (mobile data management) to be commoditised, and just part of the Microsoft stack so I don’t have to think about it.”