It seems that every week I receive at least five emails detailing a new data breach. There are so many data breach stories around that we’re becoming immune to the fact that a smaller business has been hit by a cyber-attack or whose data is being exploited by hackers. It always feels like ‘oh, another one’. A CISO recently told me that the UK’s obsession with data breaches now is similar to that of the US ten years ago.
But cyber security has well and truly become mainstream globally now, and as a consequence, the largest companies that are victims of the most crippling attacks, are having to deal with a barrage of bad PR; the reputational damage that a data breach or cyber-attack can cause is devastating.
It’s for this reason that several years ago, companies ramped up their focus on cyber security and the focus only grew with the emergence of new technologies and the introduction of GDPR. The demand for someone to deal specifically with cyber – a chief information security officer (CISO) – has therefore been enormous, as Mark Walmsley, CISO of Freshfields tells me at Cyber Security Connect UK in Monaco.
“The increase is just incredible in the number of people who want to recruit for CISO roles… salaries have gone through the roof. It’s a massive market,” he says.
CTO vs. CISO: Who should have ultimate responsibility for cyber
The changing role of the CISO
CISOs are now not only becoming essential for most businesses, but they’re sitting on the board of many of the world’s biggest corporations. This has had a domino effect on other positions, namely the chief security officer (CSO) role, which was predominantly focused on physical risk rather than cyber risk.
David Clark, who takes up the CSO role at the Francis Crick Institute, says that by keeping the CSO position, his organisation arguably sees the physical risk as a higher priority than cyber risk – but he doesn’t agree.
“My own belief is the reverse; I can quite easily mitigate physical risks to the organisation through intelligent platforms, through well-rehearsed and well resourced physical security teams, and by using very effective use of technology but you can do a lot more damage to an organisation by hacking into the control system,” he says.
But Clark believes it’s only a matter of time before the role of the CSO will disappear altogether, even for industries like the pharmaceutical and manufacturing industries that lend more importance to the traditional physical security aspect.
Instead, a risk or resilience chief — similar to a CISO — will take up responsibility for both physical and cyber risk. The reason being that it’s easier for a CISO to learn about the physical risk than vice versa.
But with so much focus on shifting cyber security to one person, there’s a risk that there’s too much pressure put on the shoulders of these CISOs.
Walmsley says the pressure is “astronomical”.
Yes, they’re being paid vast amounts of money — but is it fair that they’re made the scapegoats if the company is a victim of a data breach?
Being a CISO in a changing threat and regulatory environment
Of course, it’s not just CISOs in the firing line, often CIOs and CEOs have been given the axe as a result of a cyber attack too. Just look at TalkTalk, Target and Reckitt Benckiser.
However, Walmsley is optimistic that the business world is maturing, and he is hopeful that it means the same pressure of having his job on the line does not exist anymore.
“I think industry is maturing. If the CISO is good at what they do and they explain to the board that no business is immune to breaches [that’s a start]. They have to explain that you have to make risk-based decisions to still make money, so there needs to be flexibility, and with that flexibility comes risk and at some point that might convert [into a breach] and when it does it’s about how you respond to that breach,” he says.
This is an approach that all CISOs should be taking from the outset of their role and it should be clear where they stand if there was a data breach at their company.
Although, I think Walmsley may be being a tad hopeful that businesses, shareholders and boards will not turn on CISOs in the event of a breach.
Of course, there are layers of complexity to that; were they at fault for the breach? Could more have been done to mitigate the risk?
Managing the security risk
Either way, CISOs and their colleagues should be able to try to rectify the situation they’re in, after all, even if they didn’t manage to thwart a threat, they will know the environment better than anyone who comes in to replace them.
More importantly, putting a CISO in place does not guarantee any business immunity from cyber threats – and they shouldn’t solely be responsible for the security of the company.
Some companies are realising this and making changes to the CISO role as it stands. For example, Heathrow CIO Stuart Birrell tells me that security is too important to leave solely to the CISO and therefore he has combined the roles of CISO and chief technology officer (CTO).
“He has the role of designing in security from the outset, so he has a team of specialists in behind him but it is critical with GDPR and the Security of Network and Information Systems Direction (NIS), that it’s everyone’s responsibility,” he says.
Security resolutions for 2018: CISOs and beyond
Similarly, Nicholas Lloyd, the CIO for the Permanent Joint Headquarters of the MoD and all UK military operations overseas, says the organisation has integrated the CISO and CIO roles because of the danger of two segregated functions.
“Having people paranoid that their role is security will disable your business by thinking they’re protecting it – but they’re actually causing as much damage as a hacker would, so you have to be careful that you don’t create a security or CISO team that have no accountability for the outcome in terms of sustaining viable, vibrant information services,” he says.
Lloyd encourages a collaborative approach, where security is essentially baked into everything the organisation does – therefore spreading the accountability across the organisation.
Keith Little, CIO of Barclaycard says “security is everyone’s responsibility”. He’s just one of the latest CIOs, CISOs and CSOs I’ve had conversations with that use this phrase.
The question is, despite growing awareness at all levels of businesses, is this really true? We keep being told that being a victim of a cyber attack is an inevitability, and that it isn’t any one person’s responsibility. But will businesses ever truly believe this enough to ensure that a CISO’s job isn’t put on the chopping block in a case where there is a cyber-attack?
Should a CISO be treated differently to a CFO who has been involved in accounting irregularities? If cyber attacks are inevitable, and they’ve done everything in their power to mitigate risks, then yes, they should. The problem is, we’re not there yet and therefore the pressure on CISOs is growing as quickly as the pay packages they’re getting offered.