Despite all indications that cybersecurity is now ‘top of mind’ for company boardrooms, less than 50% of companies have a CISO position with a seat at the board. Boardrooms have learned all the words and they know all the notes, but they’ve never quite learned to sing the song.
This figure and others come from a November 2018 survey (PDF), conducted by Vanson Bourne and commissioned by Thycotic. It queried 200 CISOs in the UK and Germany from largely mid-size companies in both the public and private sector with at least 1,000 employees. Thycotic’s chief security scientist and advisory CISO, Joseph Carson, believes the issues raised will affect most CISOs throughout the world.
“The results were quite shocking,” Carson told SecurityWeek. “While boards accept that cybersecurity should be a priority, they remain very reactive in regard to supporting and investing — and in most cases they’re holding back CISOs, who are rarely able to meet the goals that they’ve set themselves and their companies. The board is still seeing cybersecurity as something that is reactive and a cost rather than something that is an innovation or a business strategy.”
More than 60% of the respondents believe senior management considers their role to be basically defensive and protective. Only 37% believe management sees them as a business-positive force, enabling secure growth and gaining competitive advantage. It’s no better with company staff: almost three quarters (74%) reported negativity or indifference regarding the introduction of new security measures and policies (35% believe employees think security hampers their work, while 39% think staff barely notice them).
Carson believes this is indicative of a negative view of security held by most boards, most staff, and many CISOs themselves. This negative view is inhibiting the full potential of the security team in its true role as a secure business enabler. The solution, he suggests, must come from within the CISOs, and from the security giants within the security industry. The former must change their relationship with leadership, while the latter should take every opportunity to stress to businesses that security must be a top down rather than bottom up process.
Consider other C-suite executives, suggested Carson. Each one is better recognized than cybersecurity, higher in the business pecking order, and more likely to have a seat at the board. HR enables a happy and smooth-running workforce; Finance enables the company to do what it needs to; the CRO protects the business and its property; and even the lowly CIO keeps the business running. Security is often perceived to say, “No, you can’t or mustn’t do that’. This needs to change, says Carson.
“Security is like a dog chasing its own tail — it’s never going to win without changing the approach,” he continued. “So, we need to think about security being successful, not about it winning. We’re never going to prevent all threats or solve all cybersecurity issues. But we have to focus on the ones that matter to the business.”
In fairness, the CISO is in a difficult position. Originally, this position was just an extension of the IT department. In fact, it has been said that the CISO was created by the CIO as a scapegoat in case of problems. Nevertheless, the CISO must work closely with the CIO, often must report to the CIO, and is sometimes the same person.
But the role of the CISO is shifting away from the purely technical IT department and more towards risk management — albeit, the risk management of information assets rather than the risk management of property assets. As a result, the CISO is currently caught somewhere in between the technical IT and the more businesslike Chief Risk Officer.
Since the CISO needs to get more involved with the business for the business to become more engaged with security, the CISO role needs to gravitate away from the purely technical IT, and more towards the business processes of the CRO.
The key, suggests Carson, is a more positive reporting approach. “Take Shadow IT,” he said. “The common view is that security is there to stop staff using the cloud apps they want to use. But if this view can be reversed, so that security is there to allow staff to use their cloud apps safely, then the attitude towards CISOs and security generally will begin to change.”
It must be asked whether legislation is the solution, just as the NYS DFS-500 mandates that covered entities must have a CISO that is heard by the board, and GDPR mandates that larger companies have a Data Protection Officer (DPO) officer. “It’s something that definitely helps, but I don’t think it’s the full solution,” says Carson. An army can defeat an opponent by force, but that victory does not win the heart and mind of the people — and it is both the staff throughout the business and the board that governs the business, that must be won over by the CISO.
“Security teams need to work harder to communicate the strategic importance of their roles to the business and reinvent themselves as ‘facilitators’ rather than ‘enforcers’ who enable the business to run smoothly,” said Carson. “Until the CISO starts dealing in and gets measured by business success, he will remain low down in the pecking order.”
Related: CISOs Challenged in C-Suite: Report