Is the CISO well positioned to mitigate operational risk? (ISC)² will be asking this probing question of Security leaders at the kick-off session for Infosecurity Europe’s Leaders Programme in London next month. A round table discussion conducted under the Chatham House Rule, the session creates an opportunity to offer up frank comment and illuminate the challenges currently hampering companies from appreciating and truly gaining control of cyber risks. Infosecurity Europe’s Leaders Programme is open to CISOs and Heads of Information Security, who are the final decision-makers and budget holders for information security in end-user organisations, making this a bespoke session for those charged with managing the risks. It’s also a continuation of a discussion we started in Abu Dhabi at Infosecurity Middle East in March which proved to be very enlightening.
We had 10 participants sitting around the table in Abu Dhabi, all with CISO-level responsibilities representing government, at city and national levels, small companies and larger corporations. Overall, the group confirmed a persistent governance challenge when it comes to mitigating cyber security risk, despite the acknowledgement of a National Framework and/or documented company policy and procedures. Understanding what should be done, it seems, is proving not enough: organisations must also build in the motivation and influence across their management structure to get it done.
The group confirmed, for example, that the status of a project or its business owner, is more likely to determine whether it goes forward without sign off from the security experts, than the understood risks. In all cases, participants felt they couldn’t always put their hand up and highlight concerns, even when there was a security governance committee in place: if a project was considered critical or high -profile the chief motivation is to deliver making it likely to move ahead into production with the risks logged in a risk register. The group also revealed that increasing levels of risks logged in this way were being realized within months.
Clear lines of accountability proved to be another concern. Participants noted the existence of many consultants and recommenders, but very few approvers in the security and risk governance process. In the best-case scenario, particularly within government, a governance committee will have authority to veto acceptance of risk by a business owner, yet the veto occurring will still be determined by the criticality of the project, not necessarily the level of risk. Further, all described an unhealthy relationship with auditing grounded in the belief that auditors are biased to find something wrong rather than contribute to development, while traditional auditors lack the skill needed for cyber.
Overall the group concluded that there is no single model for security governance, including the auditing stages, but there are some intangible yet clear shortcomings that must be recognised and accepted. Ensuring the right level of influence and a healthier balance of considerations is needed. Regulators are recognising this and some, including within the UAE, are requiring the appointment of a CISO accountable for regularly updated plans within particular sectors. Clearly, greater visibility and co-ordination of the overall risk will be required if CISOs, and the organisations that appoint them are going to live up to the expectation. Frameworks, best practice and policies must be backed up by a process to document that they have been followed and best efforts made.
As a Chief Information Security Officer (CISO) based in Dubai with over 12 years working in this capacity within financial services, and a volunteer member of (ISC)²’s EMEA Advisory Council, I am
keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats. As every company marches toward their own digital agenda, I believe that the CISO will increasingly play a strategic, not just supporting role. A well-positioned, business-aligned CISO can help align corporate priorities so that security issues can be properly addressed as companies increase their dependency on technology and, therefore, the capacity to address the risks properly.
I look forward to continuing and sharing more insights from the discussion in London, June 5 at 10:30am. To join us, qualifying Infosecurity Europe delegates must register for a Leaders Pass, which also gives them access to a Leaders Lounge and networking opportunities, in addition to the round tables. Learn more, and register to join us.