February 13, 2014
Today’s chief information security officers (CISOs) and Chief Risk Officers are in the midst of many changes that are greatly impacting how their organizations, whether public companies or government agencies, respond to and prepare for cyber threats. It was only a few years ago that the industry was moving toward making the role of the CISO an executive-level position. Now, the conversation has evolved to breaking down the Tower of Babel that exists in many organizations between the server room and the board room.
I often have the privilege to speak with CISOs at industry events, such as the upcoming RSA Conference, one-on-one. Regardless of the setting, regardless of the industry, whether private or public, CISOs tell me that they see the imperative to translate their cyber concerns, plans and needs in a manner that CEOs and board members understand. In addition, CISOs are beginning to understand that the fast-paced and relentless nature of cyber threats demands immediate delivery of the information and intelligence to enterprise leadership that is actionable, real-time and easily interpreted into business risk decisions.
Recently, the CIO Journal printed an article I wrote on this subject, where I identified the future for CISOs and Risk Officers. I said they need "to accept and understand that a remediation-centric cyber defense is not enough, and to build a communications link to the C-Suite…Organizations need to change their entire security model from one of compliance – meeting basic standards for data protection – to a holistic multi-faceted program of engagement.”
To help their organizations not just survive, but also thrive, CISOs must embrace their responsibility to set the path for their organization’s holistic cyber risk management program. It is important for CISOs to consider the roles and responsibility of the C-suite and determine whether it is appropriate for leaders to manage every component of a holistic cyber defense - intelligence-based monitoring, crisis management, remediation, legal, insurance, crisis communications, organizational planning, staff training, etc. The alternative is to collaborate with a provider who can apply broad expertise to the aggregate. My belief is that sharing risk with others is almost always the better solution.
How can we make this work in today’s threat environment? You can read the day’s news headlines to appreciate the challenges that the CISOs and leadership at some of our largest public companies – Target, Neiman Marcus, and JP Morgan– must address. It is one thing to know what to do in cyber security, but given how quickly events occur and the impact on brand reputation, it is just as important to work out ahead of time how to do it. CISOs can learn a lot from the experiences of others and apply that knowledge to a holistic evaluation of the true effectiveness of their cyber security risk management program.