The cyber-accountable Chief Information Officer (CIO) - a strategic role
The cyber-accountable Chief Information Officer (CIO) - a strategic role

To work in cyber-security, flexibility and agility are key. The Chief Information Officer (CIO) or equivalent is responsible for managing and mitigating the risks of a cyber-attack, but these evolve constantly, not to mention increasing in size and ferocity as we trip towards a digital future. So too must a CIO evolve. More importantly, businesses must escalate the CIO's role and prioritise cyber-security to ensure survival.

This is not yet happening as comprehensively as it should. According to recent research, only two percent of FTSE 350 boards have a board-level CIO, CTO or CDO who could be held to account when the inevitable breach occurs. The boardroom will need to adjust, not least because this is where the buck will stop when the worst happens.

GDPR and cyber-security

This year, cyber-firms – along with many others – have the addition of the fast-approaching GDPR (General Data Protection Regulation) to grapple with alongside their existing operations. The implementation date of 25 May is getting closer and many firms are not yet ready. For the CIO, it's important to understand how the new GDPR legislation will affect a business' cyber-security efforts.

There are two main areas that will need a change: the timeliness of reporting and the diagnosis of breach severity. From the end of May, a business suffering a hack or losing personal data must report it to the relevant Data Protection Authority within 72 hours of discovery. Lawyers will advise that minor breaches of non-critical data don't need reporting to the Information Commissioner's Office, but imagine if a superficially ‘minor' breach was a precursor to a more targeted, more damaging attack later on? Vigilance is crucial. 

This means businesses – or more specifically, the CIO – must understand the activity within the corporate environment at an extremely granular level. They need to have systems that enable them to interpret the ‘signals from the noise' to indicate anomalous behaviour so evolving threats can be monitored. Real-time analysis at the network level is a means of achieving this clarity and understanding. Organisations need to understand the severity of a breach as underestimation could cause a breach to be reported too late, costing an organisation heavily in fines.  

Responsibility for personal data

Another area that the CIO will likely take management of is the control and protection of personal data – this is at the core of GDPR. It is here that a business has an opportunity to inspire trust and reassure of authenticity to customers increasingly alert to their data privacy. 

Understandably, the CIO will have limited resources to deal with this, so hiring a data protection officer is a smart solution. This role entails taking responsibility for reviewing and understanding held data. They will ascertain why the data is held, how permissions were gained and whom it will be shared with. 

The data protection officer will also need the right tools in place to monitor irregularities and work with the wider network team. Real-time analysis at the network level will give businesses an indication of the files or data that have been transferred or viewed from the network environment. This will then support any breach reporting and give an organisation the means to handle the reputational aspect of a breach fallout, and rapidly understand what data has been accessed and how to respond.

Redefine the CIO

We know what a CIO needs to be responding to, but where are we starting from? Historically, IT Directors and CIOs were focused solely on operational activities: keeping the lights on, keeping risk low, keeping systems running. Today we are seeing a necessary transition of the role, from functional CIO to strategic CIO.

The change won't happen overnight. It takes time for people with the right ambitions, brought up in a context of risk mitigation and operations, to transition into the role of business strategy and vision. The change will also require support from the board, who must help these individuals define the strategic implications of new regulations like GDPR and the opportunities that abound from new platforms, channels and technologies. The evolution of the role of the CIO requires guidance; cyber-accountability is a team game, and one that more boards need to be playing seriously. 

Contributed by Simon McCalla, CTO, Nominet.  

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.