In a recent company board strategy meeting the CFO presented the financial forecast and outcome and made some interesting comments about fiscal risks and opportunities on the horizon. The COO discussed efficiency in operations, explained how the company may need to adjust the hiring procedures to avoid the risk of high turnover and to speed up the candidate selection. She also argued in favor of some new IT initiatives to automate and modernize some processes – including the hiring process. With these in mind, the CEO made some strategic decisions on projects and operations, and the meeting was concluded.
Three months later the company name was in the headlines. A temp employee of the vendor that was selected to implement the new IT system had his laptop stolen, credentials were cached in the browser. The personal details of all applicants in the new system, including previous salary details and diversity data (such as race, religion and sexual orientation), were posted on a public website.
The new system did not have multi-factor authentication because IT argued – giving in to the pressure of the HR department of course – that they would do it later, as they needed to move to production fast. The vendor’s security practices were not evaluated because Legal argued that an NDA and an SLA should cover these things. Compliance and Procurement agreed and, in addition, the company had in place cyber insurance to cover for financial losses. The project was considered successful.
Risk is part of the game. You cannot do business without assuming some risk and you have to make sure that you manage that risk. Companies are managing financial risk for ever. Financial risk management is in the heart of the CFOs responsibilities, but when the discussion comes to non-financial risk such as cyber-risk, many organizations tend to be blind.
The Global Risks Report 2018 published by the World Economic Forum highlights the collective wisdom of more than 1000 stakeholders about global risks. Thirty risks to the global economy, risks such as water and food crises, natural disasters, climate changes and interstate conflicts or government failures. Almost all of these risks are systemic in nature – risks that will affect the whole economy and a single company will not be affected more or less than its competitors. One can identify two risks though, that can be either systemic or affect a single company only. These two are cyber-attacks and data fraud or theft.
A CISO in an organization needs to set a security strategy to manage cyber and information security risk. Their role is significantly more risk-oriented than technology oriented and information security spans all departments of the company, way beyond IT systems.
Yet in many companies, CISOs report to CIOs instead of the chief risk officers. Either because the companies do not have chief risk officers or because information security risk is considered a part of the IT function. In these cases, the information security risk is demoted to be ‘a risk to the security of the IT systems,’ becoming invisible to upper management.
The fact is that as information security spans the company horizontally, any threats may be materialized by so many other paths than just the IT systems, which makes this decision questionable to say the least. Here are just two examples of what is considered information security domain, that an IT function caring about ‘security of IT systems’ does not have anything to do with:
- Contracts with suppliers that are totally out of control of IT, especially with the exposure to third parties such as cloud providers. Legal and procurement want to know about it, but IT does not care. In that case the available controls are not even IT-related
- Employees: HR wants to know about it, but IT does not care. Although some controls may be IT-related, in several cases they are not, such as background checks and social engineering awareness sessions.
The list could go on but the point is that with current corporate structures, many information security risks are not visible to the management boards. Decisions are made in a risky environment without anyone considering or providing transparency and visibility for these risks. This is why a high-ranking risk officer should be present at these board meetings. If the organization does not have an enterprise risk management function, that person should be the CISO.
A CISO needs empowerment to influence budget decisions, project decisions, even IT decisions and architecture to ensure that the organization has a good visibility of information security risk and manages it according to the organization’s appetite. The CISO’s voice needs to be audible beyond the IT department, across the entire organization, and the only way to achieve that is to have the ear of the CEO, the CFO and the COO. In other words, the management board.