Paul Swarbrick gets a lot of calls about security jobs. As the former chief information security officer for NATS, the UK's national air traffic service, he was frequently probed on security issues. And his first response, he says, was to ask what's meant by ‘security' – “Do you want a networking person who knows a bit about security, or a security person who knows a bit about networking? They're not the same thing.”
Indeed, the role of corporate information security – and with it, the role of the chief information security officer – is evolving and changing in the UK. No longer just the bailiwick of the techno-wonk, the job of CISO is becoming broader in many companies and agencies, as information security becomes a more high-profile and complex issue – one that is attracting more attention from the C-suite and the boardroom. Hence, the role of CISO is at a crossroads, a turning point where it could go in multiple directions.
“You hear ‘security architect' a lot, and there's the thing,” says Swarbrick. “Is there such a thing as a security architect, because most of the time what people want is a networking architect who needs to design something that's secure.”
Is it network configuration? Is it information management? Is it physical controls over access to the building? “The answer is all of them,” says Swarbrick. But what is a CISO? “It's the person who can understand what you might be looking at. You're protecting the risks to the information, because the business is information.”
What's more, the attention paid to cyber security itself is shaking things up for CISOs right now, says Mike Loginov, CEO and founder of Ascot Barclay Cyber Security Group and director for learning at the ISSA CISO Security Leadership Academy. “It's an exciting yet daunting time to be a security professional generally regardless of what part of the world one operates from or which industry sector is represented,” he says. “The message that online and cyber security is a real issue with clear and present danger seems to be slowly getting through, but way slower than it needs to in order to counteract the level of threat activity and volume of attacks that are taking place.”
Loginov points out that with some 200 million active websites, plus another 500 million inactive URLs, physical security is now intertwined with the virtual world. Plus, Loginov says, cyber security is not just increasingly becoming intertwined with physical security, but with government. He cites comments made in July by MP Keith Vaz, chair of the UK Home Affairs Committee, who led a 10-month inquiry and published a subsequent report on e-crime. Vaz was reported as saying: “The threat of a cyber attack to the UK is so serious it is marked as a higher threat than a nuclear attack. You can steal more on the internet than you can by robbing a bank, and online criminals in 25 countries have chosen the UK as their number-one target.”
The attention from government, and regulatory changes surrounding cyber crime, are getting businesses to sit up and think, says Mike Jolley, head of information security and risk at the Yorkshire Building Society Group (YBSG). “[Many businesses] have moved from being reactive to proactive. They're not wanting to be in the spotlight.”
As a result, Jolley says, the role of the CISO has segued from “operational to more management and control”. At his company – which includes several operations – he leads functions that look after information security, data protection, disaster recovery, controls, risk and software asset management. “It's really become a fast-paced area,” says Jolley, who has held various roles in the military, police, public sector, retail and finance over the past 23 years. “There's huge change happening.”
Phil Cracknell, head of information security for delivery company TNT Express ICS, sees the role of CISO becoming further ingrained into the operations of business. “Helping businesses transition from physical to logical safety seems to be one of the most important challenges today,” he says. “[The CISO] is more of a collaborative figure than in the past, when security leaders inhibited progression and development and generally tried to defend their business by stifling growth. Security leaders of the future will be ‘wired' into the world of cyber crime and fraud, and well versed in local or applicable legislation. The CISO is becoming a true board-level advisor.”
Where are they now?
The position of CISO may well be evolving, but where does it stand right now? Loginov maintains that the title ‘CISO' is still relatively rare in the UK.
“Much like other CxO titles, such as chief executive officer (CEO) or chief operating officer (COO), the CISO tag in itself has a North American bias and there are a variety of titles used in the UK, and indeed across Europe, that would appear to cover the same remit of the CISO, including information security manager,” says Loginov. “The level of seniority, authority and influence of the CISO still varies greatly across the UK.”
Many CISOs still report to IT directors or CIOs, which, as Loginov points out, “would indicate that there is still some way to go before they are an integral part of the board. That said, what can be more important than securing a company's intellectual property and commercially sensitive data?”
Indeed, the changing titles reflect the changing role of information security chief, according to Swarbrick. “Ten years ago, I would have been head of IT security,” he says. “Then it was information security, and then information assurance, and now it's back to cyber security. So is it going to be cyber assurance next? And that's just the title. So think of the content.”
Depending on the company, the CISO might be either relatively weak in terms of what they can do, or have real influence on the board and the CEO. “In some companies, the role is still very much a tick in the box, a toothless tiger; in other, more progressive companies, the CISO is a critical enabler for the online journey,” explains Cracknell. “The role is at a crossroads right now, having elevated rapidly in the past five years.”
During the two-and-a-half years in his role as head of information security for Oxfam, Cal Judge has reported to the charity's chief information officer, largely due to “how I progressed into my current position,” he says. “Perhaps in the future my role will report to the finance and IS director.” Judge says he is very much focused on information risk across the organisation. His job is classified into three distinct areas: strategy, which is all about governance, risk and compliance (such as maintaining an information security strategy, writing policies and meeting compliance such as PCI-DSS); operational security, which is largely delegated to the IS support teams, but some of it still requires Judge to get involved; and security projects.