[BreachExchange] The Changing Role of the CISO

[Destry Winant]

https://www.securitymagazine.com/articles/91653-the-changing-role-of-the-ciso

A recent Ponemon Institute report noted that the C-Suite now, more
than ever, understands that just one serious security incident or data
breach could derail the growth and profitability of their companies
because of impact to brand and the cost to remediate, fines and legal
fees and customer loss. As a result, the role of the Chief Information
Security Officer (CISO) is growing in importance, as is the need to
have an enterprise-wide IT security strategy that supports the
company’s mission and goals.

Why does all of that matter to physical enterprise security?

Two reasons, says John McClurg, Sr. VP and CISO at BlackBerry. McClurg
is an enterprise security executive, who advanced a CSO role at Dell,
as well as at Honeywell International and Lucent/Bell Laboratories.

First, an elevated focus on the growing interdependencies between the
physical and cybersecurity worlds leads to the consideration of a
converged organizational structure, under an CSO who has both cyber
and physical security responsibilities.

“I first saw convergence with my role at Lucent,” McClurg says, “The
older view of separating physical and logical security is changing in
enterprises, to where it is now quite common to find corporations
where the corporate security and IT security worlds are fused
together. Both roles don’t get appreciation every day, but they
certainly get the blame when it goes wrong.”

Bringing two such distinct disciplines together is not easy. The
personality types of corporate and cybersecurity directors can be very
different, simply by the roles they’re hired to fill. However, says
McClurg, “You need to coordinate and work hand and glove together so
neither side is surprised, in order to execute solutions. That
requires the cooperation with the IT side that owns the company
network.”

Another reason, says McClurg, is that increasingly, both physical and
IT Security programs have the same reporting structure, whether it’s
to the CEO or the CFO.

“I have reported to many CFOs in my career, and there is something
appealing about reporting to the guy who holds the dollars,” McClurg
says. “A challenge with reporting to the CEO can arise out of the
management principle of span of control, wherein a CEO may not be able
to handle a large number of direct reports. That can introduce the
risk of serving them all less well.”

One challenge with a converged organization, says McClurg, is that
many SMBs don’t have a CISO position. “This is where we might consider
a virtual CISO, an individual who may be part-time, who may work
remotely, like a timeshare in the real estate world. They may bring
their expertise, for a short or long period of time, to make critical
decisions, or maybe just fine-tune some things for a while. That’s
another way in which the role of the CISO is evolving.”

In addition, says McClurg, CISOs are being named to Boards of
Directors of organizations other than their own. “That’s an indication
of a Board’s appreciation of the criticality ascribed to the role,” he
notes. “Our expertise and insights are needed and our skills are being
appreciated. Boards now want the added assurance that their
understanding of their situation, over which they have a fiduciary
responsibility, is free and clear of any biases that might tilt their
perception of how the security in their corporation is working.”

A Seat at the Table

Both the CSO and CISO should have a seat on their company’s Board,
adds George Finney, Chief Security Office for Southern Methodist
University. “CEOs now get fired because they didn’t understand
cybersecurity, right? That’s a real opportunity for both roles to be
there.”

“From my perspective, being in cybersecurity for a long time, you just
can’t have cybersecurity evolve without physical security doing the
same,” he adds. “If you don’t get physical security right, you can’t
guarantee the cybersecurity of your organization. And the opposite is
also true. The two go hand-in-hand. That’s how you prevent crime.
That’s how you ensure the safety of your community.”

Finney shares the story of a bank that had to replace all security
cameras at all of their branch locations because hackers had taken
over the cameras. But the hackers were so embedded in the physical
security system that the bank ended up replacing its entire security
system. “That’s a monumental failure, and it’s why the two roles have
to work hand in hand,” he says.

When the two roles don’t work together, Finney says, it’s often
because cybersecurity professionals like to “play our cards close to
the vest. We don’t like to share, because it’s embarrassing to admit a
breach. But to be secure, we all need to share information.”

As an industry, as well, Finney suggests that security vendors who
lead with fear should not be doing so. “One vendor tried to pitch us
on using their facial recognition technology by telling us that a
Florida school shooting would not have happened if the school had used
their company’s technology. That’s a horrible sales technique. Stop
selling security by using fear and, instead, build relationships.”

Michael S. Oberlaender, a CISO and CSO, author and subject matter
expert who has worked in global executive level security roles and in
IT both in the U.S. and EU for more than 25 years, says he has seen
the progression of the CISO role, including some of the incorrect ways
it has been set up in many organizations. He says, “It’s not easy
because what I have observed is an uphill battle, where often, the
CISO role is under the CIO or CTO realm, which makes the road
ineffective and inefficient. Technology is about full and easy
functionality while security means literally least privileges. And
most organizations either don’t care or don’t really understand the
issue.”

He adds, “We all know that security is not a technology problem. It is
a business problem. And it needs to be decided on from a business
perspective. How much money do we want to spend? What changes do we
want to make? Do we change the processes, or the culture? Do we put
security first or functionality first? Unfortunately, many companies
are short-cutting it and then wonder later down the road why the data
breach took place.”

Oberlaender advocates that the CISO should report to the CEO and have
a seat on the Board of Directors. “The CEO is the best person to
report to because that person has a lot of visibility and execution
power.” But why isn’t that happening in all companies?

“Often, CEOs don’t understand security, don’t have the time, or don’t
want to spend the necessary time to ask the right questions. They
think they can delegate it and then it goes away. But it doesn’t go
away,” says Oberlaender. “You can’t outsource accountability or
responsibility. Slowly, but steadily, it is improving, where the CISO
reports to the CEO. But it is not the majority. It’s much more
advanced in other countries. For example, in Israel, law dictates that
the CISO reports to the CEO. Israel is one of the most secure
countries, as most security vendors either come from Israel or have a
large subsidiary in Israel.”

He adds that most CEOs have the resources, time and knowledge in the
space to be educated about security. “It is, in my view, sheer denial
of the facts.”

Debby Briggs, CSO for NETSCOUT, adds that a CISO’s reporting structure
is critical. “The CSO and the CISO, don’t own the risk, but our job is
to educate and inform everybody within the company, including the
C-Suite and the Board of Directors on the risks and what we can do to
mitigate them. So the risk appetite is really set by the Board and all
the C-Suite team members. I report into my CIO, and he’s great, but
there are times when my agenda and the agenda of my team is different
than my CIO’s agenda. If I was designing an organization from scratch,
I think the CISO or the CSO should report into the CEO. I think you
will see that evolve as more Boards are taking a more active role in
cybersecurity and physical security.”

According to Oberlaender, another way in which the CISO role is
progressing is where he/she will have an independent budget. “Getting
a budget independent from the IT spend or the technology spend gives
more power and execution ability, in addition to better oversight,
more independence and more governance. That independent budget will
allow for investments in the necessary people, tools and technologies
and process changes. It’s like buying a car. If you have money in your
pocket, you can purchase a car. If you find the car that you want or
if there is currently a shortage on cars, that’s a different story.
But at least you have the financial ability to do so.”

Similar to Finney and McClurg, Oberlaender stresses the importance of
having a converged enterprise, where the CISO and CSO roles work
together. “Convergence has been discussed for years, but it isn’t
always happening,” he says. “And it doesn’t make sense not to do so,
as essentially, the same thought processes, same methods and same
functions are there. They just translate into different ways of
achieving a goal. There is access control in the physical space and
the IT space, for example. There are still a lot of companies that
still don’t have it combined in the right fashion.”

Privacy Issues

Yet an additional way in which the CISO will be elevated in an
enterprise, Oberlaender says, is privacy issues, in the form of the
GDPR and the CCPA in California. “Security is a bigger problem than
privacy,” he says, “but I wonder why we have made more progress on
privacy? Why don’t we have (at least) national legislation on
cybersecurity? It would make sense to have a security standard that
the entire world (similar to GDPR on the privacy side) can apply, so
the hackers are not always ahead of the game and security is playing
catch-up.”

Privacy issues will be an opportunity for CISOs and CSOs to advance
their role, Briggs adds. “At first, GDPR was pretty prescriptive, but
now, instead of having one national data privacy regulation in the
U.S., we’re going down the road where we could end up with 50 of them,
which will become very hard to manage. CISOs can help build in the
technical controls required for GDPR compliance.”

Rinki Sethi, CISO at Rubrik, agrees with Briggs. She sees the rise of
a new organization emerging, the Data Trust Office, to help businesses
rethink how they are organized around security, privacy and customer
trust. This new function would collaborate with other the CISO and
other business units to ensure that legal obligations are not only
met, but the right security controls are in place to protect data
within the entire company.

At Rubrik, Sethi is responsible for building the company’s security
strategy, which includes data security. She presents to the company's
Board of Directors on a regular basis  to keep them apprised of
developments across security and compliance. Sethi and her executive
team work together on a number of issues on a regular basis, she says,
“to ensure that we have given the issue the proper response and to
ensure that we can prevent it from happening again.”