Does the UK need a chief information security officer?
While most of the media understandably covers the search for a new President of the United States, we couldn't help but notice another job going begging at the White House: CISO. Which got us to thinking...
Does UK cyber-security need a Fat Controller? (Pic: drusillas.co.uk)
There's no denying that the title of ‘Federal Chief Information Security Officer, Executive Office of the President of the United States of America' has a ring to it. With great job titles come great responsibilities, and this is no exception.
“The Federal CISO establishes the direction of Federal cybersecurity policy and strategy (in accordance with direction provided by the Federal Chief Information Officer), to include management practices, budget priorities (in coordination with Office of Management and Budget Resource Management Offices), and for overseeing implementation across the entire government.”
Of course, most every large organisation that takes security seriously already has a CISO. With the notable exception of one that we can think of: UK plc.
Isn't the UK government long overdue a CISO itself? That's the question we have been asking the IT security industry, and the myriad responses have resoundingly agreed that the answer is yes. Which should surprise nobody – after all, anything that hardens our national cyber-security posture through policy and implementation would have to be a good thing.
Vidur Apparao, CTO at Agari, is in no doubt that the threat from cyber-criminals is getting more serious, so the Government certainly needs to raise the bar. “The key way to do this is to hire a cross-departmental CISO,” Apparao said, speaking to SCMagazineUK.com. “The UK government axed its cross-departmental Chief Information Officer role a couple of years ago, so creating a CISO role is all the more of an urgent need.”
But why stop at just a CISO? Neil Thacker, information security and strategy officer EMEA at Forcepoint, reckons that UK plc “would benefit from both a chief security officer (CSO) and a CISO. Currently a number of roles exist with a focus on specific areas of cyber-security, but none of these have a comprehensive view.”
Thacker says that a fresh approach is necessary from a duo that understands the scale of the problem and is able to manage the current heightened level of urgency. As long as the CISO were “given the authority to implement change, rather than simply be a figurehead”.
Thacker's argument is that a CISO would bring ownership and the opportunity to build a strong multi-national coalition with other CISOs across the globe. And an assigned stakeholder such as a CSO would ensure the right spend is being made in the correct areas to fill the countermeasure gaps and position the overall risk exposure for UK plc back to government.
However, a CISO does not necessarily guarantee security success, as Radware's regional director Adrian Crawley says. “Interestingly, the US has had a ‘Cyber Czar' role for over a decade and lots of commentators argue that the impact and results of this role has largely been a failure.”
Maybe we need to ask, then, if the UK needs a CISO for enhanced cyber-security protection? “While the answer might be yes on paper,” Crawley agrees, “the impracticalities of making it happen coherently and dare I say quickly, might outweigh the benefits. Only if this role is commensurate with responsibilities and authorities can it be a success.”
Elad Sharf, security research manager at Performanta Ltd, adds, “The size of the country itself poses a challenge which means it would make more sense to establish a task force or a group of CISOs (with an appointed lead) to protect the country.” he told SC. “At the moment there are government bodies like CERT UK and GCHQ whose main focus is to protect the UK. What is missing is a clear effort to bring all the different security programmes that the government endorses under one roof so they're as effective as they can be.”
Simon Kouttis, head of cyber security practice at Stott and May, agrees that it is “alarming how many government departments have contracted heads of security on short-term contracts resulting in a disconnected silo approach”.
However, Kouttis also thinks a central figure would be able to help drive continuity and best practices across the UK. “A CISO for the sake of a figurehead would have limited impact,” he warns.
So what, exactly, would a CISO bring to the national cyber-security party that is missing from the current setup?
Easy, says Amichai Shulman, CTO of Imperva – it would bring “the same thing a CISO brings to a previously silo structured company with respect to cyber-security. Rather than each individual government section setting its own priorities, risk metrics and solution strategy, there will be one single hub which delegates specific tasks to individual sections based on a consolidated guideline.”
Dr Jamie Graves, CEO at ZoneFox, told us: "Within government there are multiple streams of cyber investment and research, but what we're lacking is a clear and coherent strategy across our intelligence services and central and local government. With a central strategy spearheaded by one CISO, we could ensure that police force's up and down the country had the right training to help their local communities with cyber-crimes.”
But doesn't UK GOV have enough IT security chiefs already, and isn't that part of the problem: too many cooks spoiling the broth?