Executive Summary
The Chief Information Security Officer is the C-Suite level role responsible for cyber security across an organisation. Beyond this generic description though, the role of the CISO is not consistently defined, nor is the title consistently used. In this series of brief reports, we will explore how CISOs and their wider organisations can position the role to most effect, enabling and underpinning the rapid digital transformation, data-driven initiatives and cloud migrations that all organisations are adopting.
This initial report will tackle the key question of where the CISO ought to sit within the organisation. The most successful CISOs leverage influence across organisations, enabling change both in terms of technology and process, but increasingly driving good cyber security practices into the wider organisation. Driving this cultural change across corporate silos is perhaps the most difficult task for CISOs, with diverse experience and technology focus remaining both the greatest weakness and greatest asset available.
To overcome these broad challenges, the CISO must foster collaborative relationships with the C-Suite and Board levels. The relationships with the CEO, CIO and CFO and their respective functions must be used to give CISOs access, support and resources to drive wider cyber security transformation. Reporting lines need to be clear and drive collaboration and value, rather than the adversarial or confused structures too often seen across large organisations.
The CISO must sit at the heart of an organisation, never siloed or isolated. Cyber security is not simply a risk to be managed, but increasingly an enabler of all functions across all organisations because it allows growth by protecting the business.
Communicating effectively at all levels of an organisation is vital for CISOs, but success in the boardroom can unlock greater appreciation, support and investment for the role played by an effective cyber security strategy. As an example, framing cyber security appropriately to those board members not versed in cyber is just as vital as communicating the threat landscape to the CISO function.
Organisations are becoming increasingly aware that many of these challenges can only be addressed through a strategic approach (and mindset) from the CISO, whether incoming or longstanding. Timescales for development should be agreed and adequately resourced, and priorities set accordingly across organisations. Cyber security is an issue for everyone, meaning the Board and C-Suite must support the CISO in collaborating beyond their current silo and immediate functions, securing and enabling digital transformation and business growth.
Recommendations
Recommendation 1: The CISO must have visibility of the wider business and be empowered to drive change where it is needed. Cyber security is a strategic level priority in all organisations and cannot simply be ‘managed’.
Recommendation 2: Transformative efforts must be placed in the right perspective: the CISO must agree the right timeframes for change, looking at longer-term transformation where necessary, beyond immediate tactical firefighting and quick wins.
Recommendation 3: Clear reporting lines and responsibilities ought to be established from the outset. This can enable the C-Suite to set objectives indicative of the broader digital transformation that the organisation wants to see.
Recommendation 4: The CISO function – irrespective of its reporting line – is able to most effectively drive change with clear, independent budget approved by the Board and commensurate to the agreed transformation objectives.
Recommendation 5: The CISO must be able to communicate in Board level terms, framing cyber security as a business enabler and identifying actions/initiatives in terms of business value rather than risk. This extends to regulatory requirements and how they translate into planned initiatives. A consistent communication approach, with easily understood messaging and content, is important to build understanding and support.
Case Study
The Board Perspective
Jacqueline de Rojas CBE, President, techUK and Non-Executive Director, Rightmove, Costain, FDM Group
1. Give the wider Board a grounding in Cyber
Cyber security skills are rare on most Boards. A CISO would find themselves very lucky to be in the company of Board members with comparable knowledge of cyber matters. This is why it is crucial to build awareness at Board level about how cyber security can impact business initiatives and customer confidence both positively and negatively. Being able to articulate the value of cyber security can bring confidence to decision-making in relation to technology investment. Having regular updates and contributions from the CISO on risk broadens this conversation.
There are a number of areas to focus the Board’s mind around cyber security, from a discussion on the latest high-profile breach to having some external briefings on emerging threats. By always contextualising to business strategy, value and threat, the Board will develop a foundational level of knowledge and an understanding of the importance. Not a risk or standing agenda item, but an enabler.
It is unhelpful to have cyber security characterised as a necessary evil or governance function. The Board drives the business agenda, so changing the narrative to cyber security as an enabler of everything the organisation does will filter down through the organisation. Every critical business strategy incorporating technology should be examined with a view of the cyber security impact, necessary change and competitive advantage.
2. A shared responsibility
In a similar vein, every executive at C-Suite level has responsibility for cyber security. Reporting on cyber security compliance and risk doesn’t always create enough clarity for the Board on shared responsibility and value. Moving away from merely reporting on cyber security towards understanding it immeasurably improves its impact across the business. With recent calls for C-level executives and Boards to be directly responsible for cyber breaches and damage, it is essential that the whole organisation must be cyber ready, and that clearly that starts in the boardroom.
3. Prepare for policy and regulation
We all know that cyber security is a rapidly evolving landscape, and a busy policy space. My advice to organisations here is – don’t just monitor, get involved! Leverage your relationships with industry trade associations to put your organisation in a position where in can influence policy. If your business is doing something a certain way, or faces a unique challenge, the UK is lucky to have a strong public–private sector partnership model that can affect change and policy. It is also the best way to understand and react first to future regulation.
4. Strategize for the inevitable: expedite response and actions to recover quickly
All organisations suffer cyber security breaches: they are never expected and we do not always see them coming. My biggest piece of advice for Boards in this space is to operate with agility and flexible thinking. Build a diverse team that is able to understand, communicate and practice your response. Often, the scale of an attack and its repercussions change in minutes or even seconds, so being swift in decision-making and easily understood in terms of required actions is key.
Partnering with experts will enable you to challenge your thinking, respond at once and address the impact with aligned, transparent communication. It is a constant vigil to be prepared for threats but, ultimately, building a business with cyber at its heart will not only protect you; it will also build competitive advantage.
Operating in the C-Suite: where should CISOs sit?
As a role that grew organically, the CISO role has often been poorly or inconsistently defined – too often with complex, niche descriptions that overcomplicate the key functions of the role. Reporting lines change regularly and, in many cases, C-level executives who interact with the CISO are the same ones who manage them.
The reporting line structure, and the dynamics between these roles, impacts how an organisation is run; and it can often highlight shifting priorities. Therefore, the reporting line should reflect the CISO’s role within the organisation, and more importantly the organisation’s cyber strategy and priorities.
There’s more than one way to organise your security team, but the CISO should not have multiple line managers across the silos in which they operate: this tends to create political friction and could curb their leadership potential and ability to deliver.
Nurturing effective relationships within the C-Suite
- CISO and CIO: With different priorities – the protection of the business from cyber threats vs. the delivery of business value from technology – there can be a natural tension between these roles. Collaboration is, therefore, key. To ensure an effective relationship between the CIO and CISO, there must be a well-planned alignment and a common understanding of their respective priorities, with both being involved in the strategic planning process; clear boundaries, with an independent Information Security budget; and a clear organisational hierarchy.
- CISO and CEO: A strong relationship between these roles enables the CISO to maintain their independence from other departments and prevent cyber security goals being subsumed by financial imperatives. However, to be successful in positioning cyber security as a business and growth enabler, the CISO must understand the CEO’s priorities and talk primarily about strategy and business protection scenarios, not just risk mitigation or technology.
- CISO and CFO: Financial concerns can hinder this relationship; but it has the potential to be a powerful one. With the threat of ransomware attacks and escalating fines for data protection breaches, the CISO and the CFO should collaborate closely to ensure important processes related to the revenue generation are protected. Effective collaboration will involve CISOs communicating business protection in terms of cost and mitigations in terms of ROI. They must use business scenarios, not technology language, to demonstrate the impact of a security compromise.
In many ways, it doesn’t matter who the CISO reports to, if their role is appropriately understood, defined and supported to ensure they can deliver results in line with the business’s expectations. The best CISOs have good relationships across the C-Suite, increasing the focus on cyber, in terms of time, significance and budget. This goes for the relationship with the Board as well: the best CISOs are trusted by the Board because they deliver protection to the business.
Framing the value conversation with the Board
In the past the challenge for most Boards around cyber was understanding, insight and interest. This ambivalence is surely over, even before the COVID-19 pandemic, as cyber threats have come to the fore of public consciousness. The challenge now is around how we frame and discuss cyber security at Board level.
Still too often we discuss risk, potential damage and financial loss. However, the narrative should be a positive one, never more so than during the pandemic. Cyber security consistently enables organisations to function in an increasingly virtual world, in the face of huge moves to home-working and underpinning new solutions for communication and data-sharing. In short, cyber security has enabled organisations to carry on amidst increased threat and a changing landscape. Boards should focus on this impact and success, unlocking further potential and support for the teams that keep the virtual lights on.
The CISO as a leader
To be effective and durable in a large organisation, the CISO should increasingly focus on the business and value. The role should be reframed – away from purely managerial or technical expertise, and towards wider strategy and effective teambuilding with diverse skills. As a member of the leadership team, the CISO should strategize around the topic within the company and make informed decisions about business initiatives and the need to protect it from cyber threats; and support the business in achieving its market differentiating goals.
An effective team builder
Part collaborator, part influencer, the CISO creates internal and external teams and networks that are invested in the company’s security strategy; and champions the Information Security team as a crucial partner to the wider business across all corporate silos.
To be an effective team builder of diverse business, technology, regulatory and market skills creating a holistic view of cyber security, the CISO must be empowered by the Board and C-Suite to create a function which actively seeks to create a more coherent cybersecurity culture across all areas of the organisation.
A crucial part of digital decision making
The consensus is that CISOs should be part of the organisation’s leadership team. If they work solely in isolation and don’t get involved in business initiatives proactively and from inception, they cannot be effective at protecting the needs of the business. This isn’t to suggest the role must necessarily be on an equal level with the CTO or CIO, but the CISO is an essential part of digital decision making – any unwillingness to collaborate will lead to increased risk, political friction and delivery challenges.
By involving the CISO in digital decision making, an organisation can ensure security factors are considered at the right time when making all decisions – avoiding security incompatibilities and unnecessary and unexpected expenditure. Greater collaboration will empower CISOs to take a holistic approach rather than reacting to risk as deadlines loom for new services being launched. This creates greater cyber security understanding and nurtures a top-down approach to business protection and value.
But too great an emphasis on leadership can create issues, too. CISOs and CIOs often have a strenuous relationship, with the CIO pushing for digital transformation and the CISO struggling to implement the required security measures to support it. To highlight importance to the wider business, the CISO must identify and promote themselves as a business enabler and be recognised in the same way by others within the company – because, in essence, good security allows growth by protecting the business. Friction between the two C-level executives most responsible for information must be avoided: the key issue is not the reporting structure; it is effective collaboration and communication.
Technology is moving rapidly and CISOs must demonstrate thought leadership by taking measures to mitigate the cyber threats of the future. They must be proactive in advancing security in emerging domains before problems arise. Part of this involves understanding the security challenges of the future and fostering adoption of emerging security trends.
Cyber security is a key business enabler today. But, as we move to a digital world that relies on technologies such as Artificial Intelligence (AI), operating independently from human beings, it’s true to say that nearly every piece of technology we use in the future will be under attack.
As cyber criminals use these tools, the CISO’s leadership will become even more critical in ensuring their organisation can adapt quickly by implementing the most relevant and effective defences (for example, AI-based defences against AI-based attacks) to protect and underpin its business growth.
Conclusion
In summary, as we begin to explore the role of the CISO in 2021 and beyond, it is clear that the success of any individual in the role relies on them being suitably positioned, supported and enabled. Without Board buy-in or a clear and collaborative reporting line, CISOs will remain in fire-fighting mode and consigned to a necessary evil or expenditure or, worse, an inhibitor to business agility. And, therefore, failing at the critical aspects of the role that offer most value by being proactive: strategy, communication and leadership.
The key recommendations outlined at the outset of this report give the CISO role a mandate for adding differentiated value and creating a strong foundation of cyber security knowledge across the business:
Recommendation 1: The CISO must have visibility of the wider business and be empowered to drive change where it is needed. Cyber security is a strategic level priority in all organisations and cannot simply be ‘managed’.
Recommendation 2: Transformative efforts must be placed in the right perspective: the CISO must agree the right timeframes for change, looking at longer-term transformation where necessary, beyond immediate tactical firefighting and quick wins.
Recommendation 3: Clear reporting lines and responsibilities must be implemented from the outset. The C-Suite should set objectives indicative of the broader digital transformation that the organisation wants to see.
Recommendation 4: The CISO function – irrespective of its reporting line – must have a clear, independent budget approved by the Board and commensurate to the transformation objectives set by the Board.
Recommendation 5: The CISO must be able to communicate in Board level terms, framing cyber security as a business enabler and identifying actions/initiatives in terms of business value rather than risk. This must extend to regulatory requirements and how they translate into planned initiatives. A consistent communication approach, with easily understood messaging and content, is important to build understanding and support.
Enabling the role is only the start of the journey. Throughout this report we have touched on some of the skills, qualities, and traits necessary for a CISO to be successful. But, arguably too often, we still focus only on technical expertise and experience and, while this is important, it is not the requirement and capability which will engage, lead and drive change across a business through the digital age.
The CISO we need in 2021 is not the CISO we needed in 2011, or even in 2016. The next report in this series will explore this idea in more detail, outlining what an ideal 2021 CISO profile would deliver to an organisation and how they can use the support detailed here to accelerate the transformation.
About techUK
techUK is the trade association which brings together people, companies and organisations to realise the positive outcomes of what digital technology can achieve.
techUK Cyber People Series
Cyber security technologies are constantly improving, supporting and strengthening the resilience of all organisations in ever more innovative ways. However, technological solutions can only ever be one part of an organisation’s cyber security strategy and defences. Without an informed and aware workforce and sound governance practices around cyber security all the way up to the Board, these technological solutions often fail.
The COVID-19 pandemic has made this more apparent as citizens and organisations have been forced to move more of their working and social lives online. Whether it be citizens protecting themselves as they use conferencing apps to meet-up with friends; employees exploring new ways of working whilst still protecting business and personal data; or the Chief Information Security Officer (CISO) looking to maintain operational resilience in an increasingly remote environment; the common strand is that it falls to people to be cautious, smart and access the right information to allow them to make the right decisions.
The techUK Cyber People Series will be exploring how people can be the strongest element of the UK’s cyber defences. The aim of these reports is not to be prescriptive but to support organisations and stakeholders in making the right decisions, highlighting best practice across UK sectors and sharing insight from industry leaders across a range of topics. This first document starts at the top of the tree in terms of cyber defenders, looking at the role of the CISO and how it can be used to ensure a cyber-conscious culture across organisations and to implement the best cyber security strategy and posture.
Further planned reports will explore:
- Digital citizens
- Making informed buying/procurement decisions
- Enabling a cyber-aware workforce
- Developing the profession: giving entrants clearer career pathways
- Building an effective cyber team
Primarily the focus here is on larger organisations and corporates, who have CISOs in post leading dedicated security teams. Scale heightens many of the challenges but also provides the resources to deploy cutting edge capabilities. Smaller organisations often have a much smaller team dealing with cyber security and as such, require a different structure. Further reports in this series will look at those issues more specifically.
