There's no denying that the title of ‘Federal Chief Information Security Officer, Executive Office of the President of the United States of America' has a ring to it. With great job titles come great responsibilities, and this is no exception.
“The Federal CISO establishes the direction of Federal cybersecurity policy and strategy (in accordance with direction provided by the Federal Chief Information Officer), to include management practices, budget priorities (in coordination with Office of Management and Budget Resource Management Offices), and for overseeing implementation across the entire government.”
Of course, most every large organisation that takes security seriously already has a CISO. With the notable exception of one that we can think of: UK plc.
Isn't the UK government long overdue a CISO itself? That's the question we have been asking the IT security industry, and the myriad responses have resoundingly agreed that the answer is yes. Which should surprise nobody – after all, anything that hardens our national cyber-security posture through policy and implementation would have to be a good thing.
Vidur Apparao, CTO at Agari, is in no doubt that the threat from cyber-criminals is getting more serious, so the Government certainly needs to raise the bar. “The key way to do this is to hire a cross-departmental CISO,” Apparao said, speaking to SCMagazineUK.com. “The UK government axed its cross-departmental Chief Information Officer role a couple of years ago, so creating a CISO role is all the more of an urgent need.”
But why stop at just a CISO? Neil Thacker, information security and strategy officer EMEA at Forcepoint, reckons that UK plc “would benefit from both a chief security officer (CSO) and a CISO. Currently a number of roles exist with a focus on specific areas of cyber-security, but none of these have a comprehensive view.”
Thacker says that a fresh approach is necessary from a duo that understands the scale of the problem and is able to manage the current heightened level of urgency. As long as the CISO were “given the authority to implement change, rather than simply be a figurehead”.
Thacker's argument is that a CISO would bring ownership and the opportunity to build a strong multi-national coalition with other CISOs across the globe. And an assigned stakeholder such as a CSO would ensure the right spend is being made in the correct areas to fill the countermeasure gaps and position the overall risk exposure for UK plc back to government.
However, a CISO does not necessarily guarantee security success, as Radware's regional director Adrian Crawley says. “Interestingly, the US has had a ‘Cyber Czar' role for over a decade and lots of commentators argue that the impact and results of this role has largely been a failure.”
Maybe we need to ask, then, if the UK needs a CISO for enhanced cyber-security protection? “While the answer might be yes on paper,” Crawley agrees, “the impracticalities of making it happen coherently and dare I say quickly, might outweigh the benefits. Only if this role is commensurate with responsibilities and authorities can it be a success.”
Elad Sharf, security research manager at Performanta Ltd, adds, “The size of the country itself poses a challenge which means it would make more sense to establish a task force or a group of CISOs (with an appointed lead) to protect the country.” he told SC. “At the moment there are government bodies like CERT UK and GCHQ whose main focus is to protect the UK. What is missing is a clear effort to bring all the different security programmes that the government endorses under one roof so they're as effective as they can be.”
Simon Kouttis, head of cyber security practice at Stott and May, agrees that it is “alarming how many government departments have contracted heads of security on short-term contracts resulting in a disconnected silo approach”.
However, Kouttis also thinks a central figure would be able to help drive continuity and best practices across the UK. “A CISO for the sake of a figurehead would have limited impact,” he warns.
So what, exactly, would a CISO bring to the national cyber-security party that is missing from the current setup?
Easy, says Amichai Shulman, CTO of Imperva – it would bring “the same thing a CISO brings to a previously silo structured company with respect to cyber-security. Rather than each individual government section setting its own priorities, risk metrics and solution strategy, there will be one single hub which delegates specific tasks to individual sections based on a consolidated guideline.”
Dr Jamie Graves, CEO at ZoneFox, told us: "Within government there are multiple streams of cyber investment and research, but what we're lacking is a clear and coherent strategy across our intelligence services and central and local government. With a central strategy spearheaded by one CISO, we could ensure that police force's up and down the country had the right training to help their local communities with cyber-crimes.”
But doesn't UK GOV have enough IT security chiefs already, and isn't that part of the problem: too many cooks spoiling the broth?
The confusion about who has the lead when it comes to cyber-security strategy was made obvious recently when the announcement about a National Cyber Centre came from George Osborne despite there being ministers in the cabinet with specific cyber-security roles.
“A CISO role in the UK government has the opportunity to provide a coherent view across the concerns of the various groups,” insists Brian Chappell, director of technical services at BeyondTrust. “It needs someone who has IT security experience to ensure that it's not just a facilitator but rather someone who can drive cyber security strategy as well as bring it to bear.”
Catalin Cosoi, chief security strategist at Bitdefender, agrees but points out that a key reason the UK may be struggling in this area is because it's not easy to fill this position. “It requires a high level of skill in multiple disciplines, excellent communications skills, hands-on experience, and the ability to see the big picture,” Cosoi told us, “while having in-depth knowledge of the security industry.”
Michael Fimin, CEO of Netwrix, suggests that at a national level it's not about technologies, it's about the mindset. “While some companies appear to have a clear vision of their security strategies, others seem to be in need of guidance and are still in the dark ages when it comes to cyber-threats protection,” Fimin insists. “A CISO could oversee the establishment of unified cyber-security regulation at state level.”
And at an international level? “The UK CISO also would be an ambassador,” Fimin says, “representing Britain in talks with CISOs of other countries of the EU or the US.”
So who could fill those CISO shoes?
Andrew Nanson is currently CTO cyber at CORVID, but previously acted as technical lead in the provision of the NATO Computer Incident Response Capability (NCIRC) as well as designing and implementing the Metropolitan Police Counter-Terrorism Hi-Tech Forensic laboratory.
SC asked Nanson if an existing appointment already gets close to fulfilling the CISO role?
We suggested maybe Matthew Gould, director of Cyber Security and Information Assurance at the Cabinet Office, or perhaps Robert Hannigan, director of GCHQ, or even Ed Vaizey, minister of state for culture and the digital economy, whose responsibilities include cyber-security and telecoms resilience.
“There is no single lead agency responsible for UK cyber-security and that's the main problem – the NCA, CPNI, GCHQ and OCSIA all play a role,” Nanson said. “The government needs to pick the most credible organisation and assign the appropriate budget to them. I think GCHQ is the most credible agency within this space and therefore Robert Hannigan should assume this role.”We will leave the last words to Ross Brewer, vice president and managing director of LogRhythm, who summed up the feeling of much of the UK IT security industry when he told us: “Appointing a CISO will indicate that the government is taking cyber-security much more seriously. Without this commitment and leadership in place, organisations will become a vulnerable target – which the UK government cannot afford to let happen.”