Why CISOs are not the sole authority on cyber security

It may come as a surprise, but a chief information security officer (CISO) is not the sole authority on security with an organisation. While someone needs to be ultimately responsible for security, leading it by simply issuing instructions will only lead to a very one-sided view of an organisations risk profile and capabilities. Instead, given the rapidly evolving nature of cyber risks, the true strength of an organisation’s cyber security lies in the combined strength.

The importance of multiple views

Without doubt, the role of a CISO has changed significantly over the years. And this is not just because technologies have become more complex, which in turn means cyber criminals are also now more sophisticated than ever.

But the biggest change is the environment in which security and risk functions operate.

Recent cyber-attacks have gleaned significant media and regulatory attention, which in turn means cyber security is getting more attention from boards, stakeholders and customers.

However, although concern is legitimate, complete aversion of cyber risks by burying one’s head in the sand, or purchasing a lot of expensive technology to be as ‘protected’ as possible, is no longer an adequate solution.

The combination of increasing regulatory changes and public awareness of how data is stored and used means effective risk management must focus on having a full and thorough understanding of areas of exposure across the whole organisation, and building a capability to effective manage those risks.

The only way to achieve this necessary understanding is to combine expertise, knowledge and viewpoints from multiple teams. This means the role of CISO cannot simply be about having the one authoritative opinion on what should or should not be done, but instead bringing together different perspectives into a single point of view and strategy.

Leading the right team

Security is not a function, it’s a capability. While that may seem self-evident in many ways, what is important is that an organisations’ ability to effectively monitor and manage risk comes from having a fully integrated team, across multiple business functions, that work effectively together.

This means effective risk management requires not only overseeing different teams, such as compliance, operations, and IT, but understanding the data and viewpoints they can each provide, and ensuring they are all communicating with each other.

Information must also flow in both directions; the process cannot just about having different teams ‘reporting in’. Security has to be something that enables rather than restricts. Simply saying something can’t be done can be prohibitive to growing a business. Asking how it can be done effectively, safely and securely can open a dialogue to developing new technologies and procedures that are advantageous.

It’s also important to remember that the role also includes working with teams outside those typically associated with security functions. A large part of cyber security comes down to people risk, ranging between simple mistakes to deliberate misfeasance.

So, in order to respond effectively to something simple, such as a phishing attack, in addition to lining up security and IT teams, a CISO also needs to work closely with HR, communications and finance teams. This is necessary to ensure messaging and training are also lined up to make sure those likely to be on the front line of an attack are well prepared. 

Establishing culture

As well as leading and collaborating with teams, effective cyber security relies on a business embedding a culture of awareness and compliance at every level.

Cyber security is not usually about big decision making; rather it’s about the small decisions that every employee makes every day. This comes down to things such as ‘should I send this email to all of these recipients?’, ‘do I need these attachments?’, or ‘should I click this link?’.

This further points to why a CISO cannot simply be the sole authority on cyber security issues. Simply telling people what to do isn’t effective. Instead the role carries the responsibility of helping an organisation establish has a fully embedded top-down culture of awareness and compliance from its most seasoned board member to its newest recruit.

The shift to establishing a culture is hard work. It takes time and effort and there is no silver bullet. However, in getting all teams within a business working together with a fully aligned strategy, you lay the foundations for a deeper ingrained culture of compliance and awareness.

Conclusion

A CISO’s role is not only complex, but it involves a huge amount of responsibility. The key therefore lies in utilising the talents, insights and opinions of all teams that connect with a CISO’s role and uniting them into a common strategy. While cyber risks continue to develop and change, it’s only by having this full 360-degree outlook on this changing landscape that any organisation can be properly prepared.

By Matt Palmer, chief information security officer, Willis Towers Watson