She told the audience how the ‘modern CISO’ needs to have the following skills, abilities and direction:
- Stakeholder management
- Never says no to the business
- Eliminates redundant controls
- Runs security like a business
- Can work the corporate psyche
- Effective communication skills
- Undeniable credibility in the industry
- Enabler of business activities
- Ability to influence and strengthen key relationships in the business
- Understand and manage risk
- Avoid quick fixes and ‘silver bullets’
- Automate audit processes
- Educate the workforce
One of the main differentiators between CISOs of the past and the aforementioned modern CISO is the ability to communicate to the board in the language of business, Jones explained. “A CISO should be able to present a case to the board – speaking their language – to make them understand the consequence of not investing in a particular technology or information security provision.”
When explaining what a CISO should not do, Jones responded: “spend £100 to protect a £1 asset.” When asked how many of today’s CISOs comply with her presented ideal, Jones honestly answered “not many, I could count them all on one hand”.
Information security, Jones advised, is making it on to the general public’s agenda. A recent survey of public social concerns saw 94% respondents naming protecting personal information a concern – showing the same levels of concern as preventing crime, and being rated above the NHS, equal rights, and national security.
Data breaches, said Jones, are the reason why. “Data breaches are now a statistical certainty – even Lady Gaga and David Beckham have fallen victim”. Estimated figures suggest that identity fraud in the UK costs £2.7bn annually and affects 1.8 million people. “Despite the SQL injection celebrating its tenth birthday last year, the majority of breaches are still a result of the SQL”, Jones declared.