[BreachExchange] Why CISOs will be more important than ever after the coronavirus shutdown ends

Destry Winant destry at riskbasedsecurity.com
Thu Apr 30 10:33:21 EDT 2020


Three security experts explain how a CISO can unify business and
security goals and help navigate new and pending privacy regulations.

The coronavirus may mean the end of the open office plan, in-person
conferences, and handshakes, and the addition of the chief information
security officer (CISO) to more executive teams.

Bitglass researched Fortune 500 companies and found that many
organizations lack an authentic and lasting commitment to
cybersecurity. The good news is that 62% of companies have a CISO, but
only 4% listed the role on its leadership page. Also 77% had no
information on their websites about who is responsible for security

As data breaches continue at an ever faster pace, it's easier for CEOs
to understand that security is not just a cost center but a necessity
to protect a business's reputation. Retired Air Force Brigadier
General Greg Touhill said more and more organizations are realizing
that the CISO and his or her team are crucial to mission success.

"A failure by the cybersecurity team could be an existential disaster," he said.

Enjoying this article?

Download this article and thousands of whitepapers and ebooks from our
Premium library. Enjoy expert IT analyst briefings and access to the
top IT professionals, all in an ad-free experience.

Touhill was the firstederal chief information security officer of the
US government. He is currently president of AppGate Federal, a
security firm that works with government agencies to modernize
networks and security strategies.

Ellen Benaim, the CISO at Templafy, a Saas company that provides
template management for Microsoft Office and Google suite users, said
that the current work-from-home conditions are similar to how CISOs
operate in normal times in terms of being agile and adaptable and
taking action without having all the information needed immediately

"The CISO role has had to adapt to face the challenges of everyone
working from home and be prepared when hackers are still developing
new things to exploit," she said.

Bitglass also studied the impact of data breaches on publicly traded
companies and found that these breaches have cost companies an average
of $347 million in legal fees, penalties, remediation costs, and other
expenses and a 7.5% decrease in stock price.

If your company doesn't have a CISO, this advice from three security
experts can help make the case for adding this role to the executive

Why companies need a CISO

At Templafy, Benaim took over the CISO job from the co-founder of the company.

"If your business is in any way involved with processing information
for another person, it's very important to have someone looking out
for security and privacy as well," said Benaim, who reports directly
to the chairman of the board, and works with
Templafy's board of directors to describe the threat landscape the
company faces and to communicate that in a way that is understandable
to a non-technical audience.

Sue Bergamo has two roles at global ecommerce company Episerver: CISO
and CIO. She said the two roles go hand in hand.

"As CIO, taking care of the back office always has a security
component to it and from a CISO standpoint, the enterprise must be a
constant focus," she said. "At the end of the day, prioritization is
paramount with security and customers in first place."

Bergamo said that she often meets with customers to answer questions
about the company's security program and attends customer and partner
events as often as possible. As third-parties are often the source of
data breaches, it's even more important for vendors to build trusted
relationships with customers, she said.

Before adding a CISO to the executive team, Beniam recommended that
companies conduct an internal assessment of the maturity level of
current security practices as well as the most important business

Joining the executive team

For a CISO to be the most effective, he or she should be on the
executive team. Touhill said that many first-time CISOs are
disappointed to find that they do not have a seat at the executive
table or even report to the CEO.

Touhill listed several key signs that an organization views a CISO as
a mission-critical role. First, the CISO should report directly to the
CEO, and the CEO should publicly designate the CISO as a member of the
senior executive team.

Next, the CISO should provide regular reports to the corporate board
on a regular basis.

"If the board is not regularly getting reports and interacting with
the CISO, that is a sign that the CISO is not considered an essential
member of the executive team," Touhill said.

Finally, CISOs need the authority to create, monitor, and enforce
cybersecurity policy.

"Successful CISOs know they operate as part of a team and ensure they
continually coordinate among all business lines and staff elements to
ensure cybersecurity policies are linked to the enterprise strategic
goals and objectives and are viewed as enhancing the organization
rather than hindering it," he said.

Touhill said successful CISOs often spend more time with their line of
business peers than they do with their direct reports.

"They serve as cybersecurity ambassadors across the organization; as
strategic advisors guiding policy, processes, and technologies to
better secure the organization; and as a technology senior leader,
taking active measures to lead the current and future generations of
technology personnel in the organization and community," he said.

Another key still is the ability to understand privacy frameworks,
including GDPR, ISO-27001, and CCPA and then interpret how those rules
apply to a particular company.

"You have to see what they say at the level of best practices and then
apply those frameworks in a way that is efficient and supports the
goals of your company," Beniam said.

More information about the BreachExchange mailing list