CISO challenges and security ROI

Mark Brown is the Director of Information Security at EY. In this interview he offers guidance for CISOs, discusses the technical competence of company leaders, tackles security ROI, and more.

What risk areas should CISOs focus on today so that they are prepared for what the threat landscape will deliver tomorrow?
Wherever possible the CISO should move away from the technical detail towards a more core understanding of business management within the organization they are employed. Whilst the vector of threat will remain predominantly IT focussed and technical in nature, risk management is conducted at an enterprise level and operates beyond the confines of IT risk. The downstream impacts of security are felt across the entire business and therefore demonstrating this broader business knowledge to the C-Suite will create a deeper sense of understanding of the true role and relevance of security.

It’s been said time and again that security is moving from the IT department to the boardroom. Based on your experience, how security savvy are today’s company leaders in general
For many UK based CISOs, the recent UK Government initiatives have been a welcome boost to elevating the security agenda from the IT department to the boardroom, however this brings issues to the security professional that they have not previously encountered. For many years Information Security professionals have sought to gain C-Suite attention – the question is now can they handle the attention they are receiving and respond in a manner which appeases an increasingly savvy executive and non-executive management community?

The fabric of the boardroom and audit committee is changing, with companies bringing younger more progressive-thinking personnel to the decision making table. These new leaders recognize that security is necessary to business risk management, but are questioning in their attitudes and will not tolerate a response solely based on policy driven compliance developed in response to outdated theoretical exercises. There is little doubt that there has been an increase in awareness and understanding by business leadership around issues of information security. However, I believe the more relevant question to ask is who needs to become more savvy – the company leadership about security or the security professional about business leadership?

What advice would you give to a CISO of large organization that needs to outline security ROI to the management?
Ensuring that information security projects are aligned to business projects is fundamental to demonstrating the ROI of security to the C-Suite – if you cannot establish the link it is very difficult, if not impossible, to demonstrate anything further than intangible benefits.

Start by analyzing the projects across the business, not just internal to IT, that security is enabling and talk to the business stakeholders responsible for those projects. Ask how involved security is within the project and what the value of the project is to the business. If security activities were not aligned to the project, would the project have been successfully delivered? If security cannot align itself to such projects, ask yourself why these security projects are even being conducted. Are they solely delivering a whimsical judgement by the CISO and/or CIO on what they believe should be done rather than a validated decision by the business.

Some advocate compliance while others blame it giving a false sense of security. What’s your take on the good and bad sides of compliance?
Compliance is a necessary part of corporate governance, however over the past few years the term compliance has become synonymous with security, providing a false sense of security to C-Suite decision makers. Whilst both terms are aspects of risk management, compliance determines a fixed set of responses normally based on regulatory or legislative drivers; on the other hand security still requires a business to buy-in to the need for policies and procedures and is focussed on corporate risk appetite and decision making.
Regulatory hooks can be beneficial to the Information Security professional in cascading a message which may have previously “fallen on deaf ears” within an organization. However, to push a topic that may not have regulatory impact, Information Security professionals should look at the upside of risk and communicate the positive benefits of putting in place security measurements.

As national and international legislative bodies examine the regulatory landscape and establish new instruments impacting the compliance burden associated with Cyber Security, the role of the CISO becomes one focussed on translating the often complex legal requirements into technical needs. These can be adopted by business not just to keep itself out of trouble but indeed to expand business opportunities into new markets. Therefore any business which adopts a position of “we are compliant therefore we are secure”, is failing to recognize the true needs of the business and the opportunities that can come when an organization goes above and beyond regulatory compliance.