What risk areas should CISOs focus on today so that they are prepared for what the threat landscape will deliver tomorrow?
Wherever possible the CISO should move away from the technical detail towards a more core understanding of business management within the organization they are employed. Whilst the vector of threat will remain predominantly IT focussed and technical in nature, risk management is conducted at an enterprise level and operates beyond the confines of IT risk. The downstream impacts of security are felt across the entire business and therefore demonstrating this broader business knowledge to the C-Suite will create a deeper sense of understanding of the true role and relevance of security.
It's been said time and again that security is moving from the IT department to the boardroom. Based on your experience, how security savvy are today's company leaders in general
For many UK based CISOs, the recent UK Government initiatives have been a welcome boost to elevating the security agenda from the IT department to the boardroom, however this brings issues to the security professional that they have not previously encountered. For many years Information Security professionals have sought to gain C-Suite attention - the question is now can they handle the attention they are receiving and respond in a manner which appeases an increasingly savvy executive and non-executive management community?
The fabric of the boardroom and audit committee is changing, with companies bringing younger more progressive-thinking personnel to the decision making table. These new leaders recognize that security is necessary to business risk management, but are questioning in their attitudes and will not tolerate a response solely based on policy driven compliance developed in response to outdated theoretical exercises. There is little doubt that there has been an increase in awareness and understanding by business leadership around issues of information security. However, I believe the more relevant question to ask is who needs to become more savvy - the company leadership about security or the security professional about business leadership?
What advice would you give to a CISO of large organization that needs to outline security ROI to the management?
Ensuring that information security projects are aligned to business projects is fundamental to demonstrating the ROI of security to the C-Suite - if you cannot establish the link it is very difficult, if not impossible, to demonstrate anything further than intangible benefits.
Start by analyzing the projects across the business, not just internal to IT, that security is enabling and talk to the business stakeholders responsible for those projects. Ask how involved security is within the project and what the value of the project is to the business. If security activities were not aligned to the project, would the project have been successfully delivered? If security cannot align itself to such projects, ask yourself why these security projects are even being conducted. Are they solely delivering a whimsical judgement by the CISO and/or CIO on what they believe should be done rather than a validated decision by the business.