For a long time, the chief information security officer (CISO) has had a hard time. Being singly responsible and accountable for the security of an entire organisation, across its geographical and virtual footprint, day and night, is a huge burden.
To achieve this during a time of increasingly frequent and ever more sophisticated cyber-attacks, while skills are in high demand and low supply, and while keeping within budget, is a tough job for even the most experienced industry professionals.
Unfortunately, when a company is breached, the stress of the moment often means finger-pointing can start immediately, with the CISO getting the lion’s share of the blame. It’s perhaps no surprise that the average time a CISO spends in the role is about two and half years.
A CISO simply cannot control everybody’s actions. Nobody should be blamed for innocently clicking on a malicious link in an email or other message. If the entire security posture of an organisation is dependent on someone not clicking a link, there are fundamental problems.
Yet, there are, of course, more serious issues in cybersecurity today than malicious links. For instance, due to ‘Citrix Bleed’—a vulnerability coming to light in October that has affected single-sign-on access across many organisations worldwide—we’ve seen disruptions to water utility companies, the bond market and financial transactions; it’s even meant ambulance services have been diverted from hospitals.
Not ‘if’, but ‘when’…
After several years of cyber incidents hitting the mainstream media headlines, and better education from security agencies such as the UK’s National Cyber Security Centre (NCSC), more senior decision-makers, company directors and board members are realising that it’s not ‘if’, but ‘when’ their organisation will be compromised.
But there remains a strong atmosphere of blame today. Although there are a lot of actions that organisations can proactively take to strengthen their cybersecurity posture, it’s really nobody’s fault if they are breached.
Cybercriminals have been working hard at their dark craft for years and they are extremely good at it. They do it full time, often in teams of people with different but complementary skills; they excel in one niche area of cybercrime and buy other services from specialist vendors. It’s now a well-oiled machine that’s forecast to cost the economy a staggering US$10.5tn a year by 2025 (meaning, if it were a country, cybercrime would have the third-largest economy after the US and China).
CISOs certainly have their work cut out, but they can’t guarantee the protection of the organisation on their own. (And no longer should cybersecurity fall to the responsibility of IT teams, who have enough to do, and don’t always have the right training or know-how to protect a company’s technology in addition to managing it.)
What can the board do?
So how can the board support a CISO to enable them to strengthen resilience organisation-wide? How can a CISO lean on the board without worrying about their own job security every time they read about another ransomware attack in the press?
Today, cybersecurity moves too fast and is too complex to sit with the CISO or IT department alone. It’s a subject that demands board-level attention and engagement and, ideally, someone on the board—or someone who advises the board—who understands the current threats, how to manage them and how to balance the financial and reputational costs of a cyber-attack with their own investment in cybersecurity.
At Quorum Cyber, we provide all this with our ARQCUS programme, advising and guiding company boards throughout the year.
Perhaps the first thing that needs to be addressed is the language of cybersecurity. Technical teams and non-technical senior managers and directors often speak two different languages. This is a big problem for both sides as CISOs try to articulate the benefits of a risk-based security strategy and request adequate funding, and board members attempt to understand the issues, prioritise resources and make informed decisions against other major concerns such as skills shortages, supply chain issues and investment in new technology.
Five fundamental questions
There are five key questions boards can ask CISOs in order to better support them:
1. How do they measure the maturity of the information and cybersecurity in the organisation? It should align to the UK’s NCSC Cyber Assessment Framework (CAF) or the US National Institute of Standards and Technology (NIST). And it’s best to focus on unifying language, not scoring themselves against each scale.
2. Have they tried to implement any controls for a while but are struggling to justify the budget? Then relate this to the maturity assessment for the area affected by the lack of control. At this stage, it might help to bring in a specialist external cybersecurity company to assess the organisation’s security posture and maturity.
3. Can they show statistics on cybersecurity incidents and cyber-attacks on the organisations? All organisations are under a near-constant attack from automated tools, and many from targeted or manual attacks. The CISO should be able to show how they are defending the organisation and learning how to do it better and more efficiently.
4. Would they benefit from a business-focused stakeholder? If yes, they could be assigned a business mentor from the board. This is to ensure that the CISO doesn’t merely try to defend the organisation but enables it to thrive.
5. Are they using the investment they’ve already made in products, services, and licences wisely and to the maximum extent? Many organisations only use a fraction of these.
It would also be valuable to allow the CISO to provide quarterly presentations to the board about security initiatives, risks and achievements.
Backed by the board, CISOs can achieve a whole lot more for the business, including setting out a security roadmap, embedding a security culture and mindset, building security into any new IT projects, ensuring resources are best used, and, over time, reducing the total cost of ownership. When boards and CISOs work together they can significantly improve any organisation’s resilience and liberate it to achieve its goals – whatever threats loom over the horizon.
Federico Charosky is chief executive officer of IT security specialists Quorum Cyber