Not so long ago CISOs were like football managers – the fall guy for an organisation's cyber-security failures with a life expectancy in the role of about 18 months. We've had a breach, it's a tech issue - sack the CISO.
This game of shifting responsibility changed when the Target CEO got his marching orders following a breach. Information security became a board issue. CISOs are now expected to understand and articulate the business risk of cyber-threats to a non-tech audience, become educators for both the board and the workforce as a whole, liaise with and reassure compliance officers and be aware of legal and regulatory obligations.
The CEO is where the buck stops and any doubts about personal responsibility must surely have been dispelled when Walter Stephan, CEO of Facc AG, lost his job - deemed by his supervisory board to have ‘severely violated his duties,' after the company lost £38 million in the ‘Fake President' phishing scam this year. So the CEO, the CIO and the rest of the board can't offload all tech risk – but its potential impact is too great, so they need high-level informed advice to aid decision-making and prioritise expenditure.
Michael Sutton, CISO at Zscaler agrees, telling SCMagazineUK.com: “What's driving the change is that (cyber-security) is now on the boardroom agenda. Five years ago the board didn't talk about it at all, now it will be at least a quarterly topic if not monthly as breaches have become commonplace, and the CEO is now accountable. These changes have given the CISO a louder voice.”
Yet, while two-thirds of FTSE companies were hit by a cyber-attack in the past year (The 2015/16 Cyber Governance Health Check) only five percent of UK corporate leaders consider cyber-security a priority for their business (VMware research). Farida Gibbs, CEO & founder of Gibbs S3, commented on the research saying: “Cyber-security is often perceived as being less business critical than implementing the latest digital innovations, but as seen by TalkTalk and Ashley Madison, one severe breach can do incredible damage to a company's reputation.”
Who is held accountable?
Jeremy van Doorn, director of network & security, VMware EMEA noted that his company's research found 29 percent of UK IT decision makers and office workers believed it was the CEO who should be held accountable for a significant data breach. “The issue around accountability is symptomatic of the underlying challenge faced as organisations seek to push boundaries, transform and differentiate, as well as secure the business against ever-changing threats,” commented Joe Baguley, CTO, VMware, EMEA.
Among the more savvy boards the call is to ramp up cyber-security and appoint a top notch CISO, to protect themselves and their organisation. Wage inflation is rampant – with the biggest salary increases in tech going to cyber-security (see opposite). Demand for talent outstrips supply and IT professionals from other disciplines are flocking to the information security sector – and increasingly non-IT MBAs, too.
As Baguley noted, “Security is not just about technology. ... this can't be about lock-down or creating a culture of fear. Smart organisations are enabling, not restricting, their employees – allowing them to thrive, adapt processes and transform operations to succeed.”
Sutton adds: “You can't be seen as the person who always says NO – you need to be seen as a business enabler. Find where you can prevent risk... see how [staff] can be empowered to achieve what they want to do while mitigating the risk.”
However, for 28 percent of execs in a Russell Reynolds Associates survey, a decision by their CISO had hurt the business. And when it came to the skills gap within their security professionals, the weak spot was ability to understand business, cited by 72 percent of respondents, with 42 percent mentioning communication – but just as worrying for a profession that prides itself on technical ability, technical skills were also cited as a weakness by 46 percent of execs. And IT leaders themselves think that more than 29 percent of their teams need to be replaced to drive digital transformation and increase productivity according to research by IT resourcing specialist, Experis. Though 71 percent of IT teams responded that they feel that their skills and knowledge are not being fully utilised.
Who fits the CISO role?
The CISO Mindmap from Rafeeq Rehman includes the usual security operations and identity management, as well as risk management and security architecture, but also now includes governance, compliance and audits, human resources, selling InfoSec internally, business enablement, project delivery lifecycle as well as budgets.
Bill Liguori, a partner at executive search firm Leadership Capital Group noted in ISMG that, “Our clients are asking for folks who can be business thinkers first, but have a good depth of technology security and engineering behind them. Because without that business concept, they're not going to build something that continues to grow the organisation.”
Stuart Wilson, VP EMEA, Alteryx Inc, agrees. In an email to SC he observed: “Organisations have become obsessed with hiring people with very specific digital skills, when it's the common approach and thought processes that underpin each of these skills which are the most important. These technical disciplines rely on a methodical, analytical way of thinking and that's what companies should look for in new hires and existing employees. Analytical thinking is one part of the process, but for every individual to truly know their business and make a difference, they need to have the technology available to them.”
When questioning experts in the field as to whether the CISO of the future needs to be first and foremost a technologist, or essentially possess the commercial acumen to understand risk, the answers varied, but the predictable yet true consensus is, it all depends.
Sutton told SC: “It's hard for the business to buy (services) with no understanding of security as the risks are ever more complex. A pure technician may not suffice either as they need to use their five minutes of board time wisely, and talking at a tech level will not get you far. The board wants to know the impact on the business, downtime, lost amount of money.” He suggest the need is for someone with, “...a technical grounding and with that background, someone who truly understands risks and can translate them.”
He adds that, “Some smaller companies are not able to justify getting a techie CISO – they may have someone wearing multiple hats – so it's a business decision. How do you supplement that role? You may need to outsource some of that where that's not a full-time job, and you'll get the economies of scale of using a specialist. If you can't justify a full-time CISO then a virtual CISO can play a consulting type role.”
One company to look at the different types of CISO in more detail is Russell Reynolds whose global co-head, cyber-security practice, Tim Cook explained to SC Magazine UK his
organisation's CISO model which ranks CISOs into four categories, dependent upon the risk profile of the company, from those with a low likelihood of attack and minor impact at level one; high likelihood and low impact at two; low likelihood and high impact at three, and high likelihood and severe impact from an attack at four, with seniority and responsibilities allocated to the role rising accordingly.
Looking at the model, Cook suggests most CISOs' capabilities are level one, where there are 60,000 to 70,000 people in large enterprises with a weak cyber-security function, many elevated from an IT function but with the same ability, and very few of whom can go on to level two or three. Controversially, Cook says there are only about 20 people world-wide that fall into level four, with the rest being two or three. While banking as a sector is better than most, here too Cook suggests most banks are a one or one and a half.
With professional cyber-security services companies growing by 25 to 40 percent per year, there is not enough talent in the market so companies are raiding each other and the CISO pool. It's not sustainable so the industry needs long term planning to bring new people in and look at new areas such as audit, plus encourage more at the graduate and apprentice level and consider training military veterans. Cook says he expects to see an emphasis on developing and retaining those on level two and three, with three to five year training programmes with commitment from both employer and employee to roles that stretch, train and develop the participant. Sutton suggests, “Maybe part of that can be formal education (MBAs etc), mentors, and making the most of the time they get with the board. You need not to be dismissed as just spreading FUD (Fear etc), so use it but not focus on it. What's already impacted competitors – focus on the real world – and what makes us different if that happened to us. And if you've just been lucky, say that, that it's a real threat – but here's the plan to mitigate that risk.”
Cook believes that who the CISO reports to is going to become a hot topic, suggesting it shouldn't be reporting to IT – noting that in the Middle East in banking it cannot be but should be someone handling governance. And CIOs should recognise the benefits of a strong CISO, not see them as a challenger. Though Sutton notes that, “Often the CISO is put in an organisation where there is a conflict of interest, eg they may report to a CIO or CTO who has very different incentives. They need to keep the system up and running, you need to stop and fix it, or audit the found vulnerabilities and delay a launch.” He suggests that, “For 10 different companies here will be 10 different answers – the role is starting to migrate to reporting to legal, the board or the CEO – it's company specific. We want the CISO to have an adequate voice. Often the Chief Legal officer won't have a conflict. Maybe it can be down a few levels but with regular boardroom level presenting so they can speak direct to the board and not through a proxy.”
Cook says that while the CISO may not always need to come from a technology background, they needed that capability within the role, who might be a strong number two, to evaluate the claims of the thousands of product and service offerings in the market. Cook, adds, “Not now, but in the future it may be that a Chief Technical Architect, or Chief Technical Officer would report to the CISO to cover those more technical aspects.”
Sutton concluded with advice to CISOs: “Stay relevant. Make sure you succeed in the transition from perception as a cost centre to a profit centre. Don't hold back – if you don't succeed you won't get the resources you need to succeed.”
CISO salaries up, but candidates scarce
In January recruitment company BeecherMadden reported a rise in cyber-security vacancies of 68 percent and expected that same increase to continue, ultimately with 50 percent of cyber-security vacancies going empty. CISO salaries have gone up
considerably in the last two years, with very few dropping below £100,000 a year. In the US Forbes reported senior cyber-security salaries jumping from US$ 380,000 in a January report to US$ 420,000 two months later.
Karla Jobling, COO at BeecherMadden, told SC that we're seeing “continued demand, and increased demand from different sectors. We've seen jobs this year coming from the companies you might expect that have had big cyber-attacks. Industries that traditionally wouldn't have recruited cyber-professionals are now putting whole teams in place.” And while only 50 percent of cyber-security pros are looking for a new role, nearly 75 percent have been approached by a recruiter or recruiting organisation according to CSO online.