Study after study confirms that cybercriminals and state-sponsored hackers have gained the upper hand—staging major data breaches seemingly at will. Attacks on major companies continue to surge. Enter the chief information security officer (CISO), who for a growing number of organizations is the chief defender of all things data.
The CISO’s role is to assess and manage security risk—whether it be from internal or external sources. CFOs, traditionally the ones responsible for risk management, should not view the appointment of a CISO as a threat to their authority. They may actually be a career saver. In the event that an organization does suffer a major data breach, the finger of blame will find the CISO first.
Fortunately, most organizations would see the role a bit differently, and place importance on the CISO role much like that of the CFO. That makes it important that the two individuals work well together, in a collaborative and complimentary fashion.
“There definitely needs to be a strong interface, but I think there also needs to be some measure of independence between the two,” said Bobbie Eiseman, CTP, director of corporate treasury programs at SunGard, and vice chairman of AFP’s board of directors. “You’re always going to have that balance and counterbalance between what someone responsible for information security would like to see accomplished with the company, and then you have the CFO trying to balance that with other investments—both internal and external—by the company.”
A unique technology role
A successful CISO needs to understand the company’s mission and operations. They should be masters at communication and negotiation. And they must have clout.
“I do think you need to have them in a high level, if for no other reason than to just be able to cut through the red tape and bureaucracy that are so common in many companies,” Eiseman said. “You don’t want them having to struggle through multiple layers of management in order to accomplish something that they might need to accomplish in a very critical and short timeframe.”
Hopefully there will be little need for that. If a CISO has done their due diligence, even though they can’t guarantee against a security attack, they should be able to minimize it. They will do that by identifying vulnerabilities in the firm’s operations, and estimating loss to revenue, customer support or public opinion in the event of a security failure. They will then work with senior management to place security investments where they will do the most good to protect the most critical assets.
While companies with a CISO are still in the minority, their numbers are growing, noted Jamey Cummings, principal and co-leader of Korn Ferry’s Cybersecurity Center of Expertise.
Driving some of the CISO hiring is the greater focus on IT security by boards of directors, Cummings explained. It’s not just retail giants that are at high risk. All companies in all industries are potential targets. The healthcare industry is the hardest hit followed closely by financial services, according to some studies. And small and medium size firms are just as vulnerable as their larger counterparts.
While the low-frequency, high-impact breaches like the ones at Target and Home Depot have received the most media attention, insurance underwriters warn companies to pay more attention to the smaller incidents, noted Eiseman. “Some of these insurance underwriters are saying, ‘Hey, as a business you really need to think more about the higher-frequency, lower-impact breaches.’ That includes how you handle your employee data, how third party administrators on your insurance program handle your data, and how you handle client data. It’s much more of an internal focus that the insurance world would like to see companies take,” she said.
Communicating with the board
Perhaps the most important reason why the CISO must have a strong relationship with the CFO is the need for support from the board of directors.
As a recent study by FTI Consulting reveals, cybersecurity has become the number one boardroom concern, topping its list of worries in 2014. “As hackers get better at their exploits, corporate security is failing to keep up, resulting in the main thing keeping directors up at night,” the report explained.
According to BitSight co-founder and CTO Stephen Boyer, that presents the perfect opportunity for the CISO. With the CFO’s blessing, the CISO can find a readymade and attentive audience looking for guidance on how and where they should invest in security.
The conversation should not focus on technologies so much as on policies and procedures, Boyer advised. That includes what the organization is doing to proactively mitigate risks, as well as what the risk levels are to begin with.
The CISO should be able to answer the following questions for the board:
- Does the organization have cyber insurance, and is the coverage adequate?
- Are the organization’s security risk levels on par with industry peers?
- Does the organization have metrics to measure security performance and effectiveness?
- Does the organization have the ability to benchmark performance over time?
Finally, the CISO should be able to outline for the board what the potential risks are that the organization faces and in what form, Boyer said. That includes providing context, and when possible, telling a story.
Citing examples of security breaches at peer organizations can be a great way to gain board support, Boyer noted. The CISO can explain what conditions existed at the peer that enabled the attack, how those conditions compare, and what the CISO is doing to make their organization more secure.
“The end result should communicate whether you are more or less secure, and why,” Boyer concluded.