Giving InfoSec a seat at the executive table

Rather than making information security the responsibility of the IT department, organisations should consider making it an executive-level priority.

Across Australia, many organisations hand the responsibility for information security to the IT department. But some experts argue that organisations should consider creating an executive role that’s dedicated to information security.

James Turner, an advisor at analyst firm IBRS, recently published a research note titled ‘Why Organisations need an Information Security Executive’. According to Turner, non-IT executives are often reported as being concerned about the possibility of some sort of cyber incident, “but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT”.

“This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating,” he wrote.

Turner argued that organisations would be better off by appointing an executive whose primary responsibility is information security. Such a role is already present in many boardrooms around the world, under a variety of different job titles. One common title is ‘chief information security officer’ (CISO).

“Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly,” Turner wrote. “Information security is a safety net for organisations, and must be guided by an informed executive.”

Why not IT?

So, what is wrong with lumping responsibility for information security in with the IT department’s function? Sally Parker, Research Director for Data Driven Intelligence at IDC, said that it’s necessary to consider information security from a broader perspective.

“Certainly there are the ‘technology’ related aspects and the IT department is arguably the most informed and historically the most equipped to deal with this. There are also the ‘people’ and ‘process’ considerations — this is not new,” Parker said.

But information technology is becoming increasingly entrenched in business processes and functions, and as a result, information security has ramifications that extend beyond the IT department.

“As organisations become more reliant on cloud, mobile, social technologies to do business, and as the value of the data we collect from new and enhanced sources becomes more valuable, the breadth of stakeholders within the organisation expands,” said Parker.

“The question then becomes one of governance and where responsibility for governance should lie. The reality is that in Australia this varies considerably, and yet responsibility for a breach clearly lies with the executive committee and ultimately the CEO,” said Parker.

Changing attitudes

According to Parker, attitudes towards security at the executive level are changing, driven by several factors. One factor is the emergence of the public cloud, and the ease with which it allows new companies to pop up.

“The rate and pace of change in technology today is unprecedented. If you think about it, public cloud has levelled the playing field, permitting anyone with a good idea to not only take it to fruition at low cost, but also to a global market, overnight. New collaborative marketplaces are popping up on a daily basis and challenging established players,” said Parker.

Some older, more established companies are looking at these new, digital companies and taking note.

“The new players have an enviable agility, lacking the ‘legacy’ baggage of the established players. In short, the industry is undergoing a mindset shift that is rippling through organisations at variable paces. This in conjunction with high-profile breaches and an increased number of attacks in unexpected industries (ie, ransomware in the healthcare industry) is capturing the attention of the executives, and security has become a boardroom discussion for many already,” said Parker.

Parker said that the way organisations view cybersecurity is shifting. She pointed to the results of IDC’s recent 2016 C-Suite barometer research project, in which the analyst firm asked 170 Australian organisations about the importance they placed on cybersecurity.

That research revealed that in 50% of organisations, cybersecurity is now one of the top priorities for the board of directors, and for 42% of organisations, cybersecurity is an important KPI of the management team.

Lydie Virollet, market analyst at IDC, added: “There has been a shift in the view organisations have on security, from a pure control function to a digital resilience tool. This understanding of the crucial aspect of security now needs to be widespread to the bigger crowd, in order to build the workforce that is needed to protect our rising amount of data and devices.”

Implementation of the role

Exactly how an organisation implements the role of information security executive can differ, depending on its specific needs.

“There are many questions that executives need to be asking themselves when creating a CISO role, or appointing someone to this role,” said IBRS’s Turner. “You must have a CISO that’s actually going to make a difference, so it’s vital you know what that difference should be. This conversation also needs to be revisited as the organisation matures.”

The nature of the information security executive’s role has changed over time. “I think the key point to note around the role of a CISO is that cyber risk maturity is a rapidly evolving area,” said Turner. “The CISOs we have now need a broader skill set than they did 10 years ago. They need so much more than just to be the last technician standing by the time the job title is handed out.”

According to Parker, an effective information security executive needs a variety of traits. “Today, security considerations and associated discipline must be infused across the organisation and intrinsic to the business,” she said. “A good CISO will not only be technically proficient but also a collaborator, influencer and potentially an interpreter within their organisation.”

One key decision when considering the structure of the information security executive position is how that executive sits in the corporate hierarchy, including who they report to. Parker’s view is that the responsibility for an information security breach ultimately lies with the CEO.

“Consider the now-infamous Target data breach that resulted in the departure of veteran CEO Gregg Steinhafel and lack of confidence in the board, and the many examples since,” she said. “Visibility of the potential exposure across the organisation — particularly as the bench of stakeholders expands, and particularly where technology initiatives are increasingly funded outside of IT — is imperative.”

“Equally important, the post-breach action plans — how an organisation responds to a breach — can have a greater impact than the breach itself,” she added.

In some scenarios, it might make sense for the information security executive to report directly to the CEO, without an intermediary.

“Depending on the size of the organisation and the definition of the role, the right CISO might report to the CEO. It’s ultimately about getting the right information to the board in the right language to derive the best outcome for the organisation,” said Parker.

According to Frost & Sullivan Industry Principal, Cyber Security Practice Charles Lim, the nature of the information security executive’s role varies, depending on their exact reporting line.

“Currently we observe that CISOs either report to the CEO directly, or to the CIO,” said Lim. “Reporting to the CIO enables him/her to oversee cybersecurity as part of his IT strategy planning and also co-sharing of IT headcount between the chiefs.”

On the other hand, Lim added that “CISOs that report to CEOs will tend to play a heavier role in boardroom conversations and as an advisor to the CEO on security matters”.

“For this structure, most CISOs have teams that are dedicated to performing daily monitoring tasks with security analysts, to meeting compliance requirements with governance and risk professionals.”

Lim also noted the importance of communication in keeping everyone on the same page. “It is important that CISOs and CIOs need to have strong communications and collaboration between them to ensure that all IT initiatives have the security team involved,” he said.

According to Turner, an organisation’s choice of who an information security executive reports to is a reflection of how well that organisation understands cybersecurity.

“I think seeing a CISO’s reporting line gives a good indicator of how mature an organisation is in understanding its cyber risks and responding to these. Having a CISO report to a CIO shows that the organisation’s executives think that cyber risk management is purely a technical issue and that is a mistake,” he said.

“However, it’s a starting point, and it’s then the CISO’s job to educate the executives on cyber risks so they can make informed decisions.”

That said, according to Turner an ideal reporting line for an information security executive has yet to be established. “But I would be encouraging executives to ask whether they see the role as operational or oversight and advisory. Some organisations need the first, some need the second, and some will need one role that covers both.”

Information security executives typically play some role in budgeting for security spend around the organisation. Lim said that at this point, while his firm doesn’t see CISOs having a say in how much other departments should spend, CISOs “are usually in the role of the final decision-maker on the budgets that are to be approved for security spend”.

“Usually CEOs (or CIOs, depending on the structure) will have to run through with the CISO on his forecast for security spend in the year, so the CISO role will need very strong experience in understanding the end-to-end needs of cybersecurity in people, process and tools that need to be maintained and improved for a year, and justify that spending,” Lim said.

Smaller companies

But while large enterprises may be increasingly giving information security a voice at the executive level, that may not necessarily be the case at smaller organisations. Frost & Sullivan’s Lim said that while some large enterprises may delegate information security responsibilities to a CISO, “in smaller organisations we observe that MIS usually has to take that de facto responsibility, and [it] struggles in providing justification on improving IT security, due to the lack of focus”.

And when a smaller organisation does hand security responsibilities off to the IT department, “the organisation usually ends up spending a lot more time reacting and recovering from security breaches due to inadequate protection systems in place”, Lim said.

“In the light of the sophisticated attacks today that may impact business operations, organisations should recognise the need for a dedicated security executive in not only managing security controls, but to also plan proactively for the right controls in place and ensure prevention and detection systems are constantly upgraded to mitigate the latest threats,” he said.

In these smaller companies, as in the larger ones, this information security executive can evaluate and justify security spending to help senior management more promptly make decisions that lead to security improvements, Lim said.

However, in smaller organisations, it may be difficult to convince management that a new executive — perhaps with its own team — is required. In these smaller organisations, where budgets are tight, “security is usually not the top of mind for spending in the areas of manpower”, Lim said.

“Therefore, today it is really important for business owners to look at cybersecurity as part of their business-enabling strategy, to understand that it is not something bolt-on, [but] rather a key area that must be addressed when they roll out new IT-enabled services and design-in the process, which we call ‘security by design’,” Lim said.

But while a smaller business may find it difficult to address its information security needs, such a business might look at employing a managed security service provider to help them with its InfoSec requirements, Lim suggested. Such an arrangement would typically involve a monthly payment and is likely to cost less in upfront investments, he said.

Image courtesy Stephen G. Barr under CC BY-SA 2.0