The changing role of the CISO was among the highlights of discussion in an expert panel at the SC Magazine Virtual Conference, alongside issues such as allocating the right security budget amid risk and threats amid a shrinking economy.
The speakers on the panel were Paul Harragan, director of EY, Becky Pinkard CISO for Aldermore Bank PLC and Sian John, CISO for Microsoft.
There was talk on data compliance, management and security, including cloud storage versus companies with their own data centres.
And the packed agenda also looked at how to map supply chain cybersecurity dependencies to identify the ‘weakest link’ as well as how to prepare for upcoming M&A cycles.
If your diary/workload didn’t allow you to attend the SC Digital Congress yesterday, you can still do so on catchup, with the full proceedings available here.
Here are some of the highlights:
To what extent has the role of the CISO changed?
Paul Harragan, director of EY
“I think it has evolved so that different companies choose to use CISOs in different ways. For me, the CISO drives efficiencies for the business - but it really just depends on how your business perceives the security function. In my personal opinion, they should have a valid seat at the table.
“The challenge is to understand how a business operates to drive those efficiencies. Yes, technical expertise is needed but we quantify and measure risk. That's our primary function now. We are trying to control risk for the business and ensure the business can work in the way that it needs to."
Do you agree that the CISO role is different now?
Becky Pinkard CISO, Aldermore Bank PLC
“I definitely agree there's a risk element to it. Of course, we have seen a transformation in the CISO space. It started off as a more technical role years ago and I think we have seen it turn towards more the governance role.
"There’s been evolution against that requirement to understand tech so that you can best help to define and lead against the risk posture for an organisation. Especially for myself within the financial services industry, it's obviously something near and dear to my heart.
“The interesting thing has been to look at risk in the context of the threat landscape and my experience so far has been that it's an evolving conversation.
“People are going to pay more attention to what that means in terms of how to break it down into specifics against both budgets as well as the service direction and capabilities of the team that you are working with. But it definitely requires a technical capability to grasp all of that information."
Have you prioritised change under Covid-19 lockdowns?
Sian John, CISO for Microsoft
“Yes. But now it's more about an acceleration of change - a lot of our customers were already working towards change.
"What we've really seen is a massive acceleration of that challenge and it's not just the info workers that have been getting ready to work from home. It's the people that never have - or ever expected to.
"So in financial services call centre workers - in fact, call centre workers across the board in many different industries - don't always have the best and nicest technology to use day in day out. [Their systems] are really meant to support calls so that's a massive change on a scale that's been really quick."
What have been the changing priorities of the role?
Paul Harragan, director of EY
“For me as an advisor to a lot of companies that are going through transition or change, it really just depends on pivoting. So if the operating model of the business has changed, they can move to some other way of working - but if you have literally shifted to a completely different way of making money - I think you've widened your threat landscape considerably through everyone working at home.
“You’ve got to protect that domain. Yes, you might have VPNs but before you get to logging in people are using Office 365 and don't actually have to log in to VPN together. You can also traverse on to other computers on the network.
“So there are lots more threats that people need to model their new risk exposure on. That again needs to be realigned with budget.
“I think a lot of people are looking [for workplaces] go back to the way it was [pre-Covid-19] but I don't think we're going to. I think the workers may want to stay at home because they quite enjoy it. But in terms of the businesses themselves - how do you support this - how do you train people to effectively manage it. It's a huge concern for me.”