As the responsibility of the CISO increases, the apparent tension between the security function and the rest of the business tightens. And the most common tension lies within the freedom at which a company can innovate—security has had the unfortunate reputation of Styming progress. But is that still the case today? Many now see the value of having a clued-up security function; ironically, the increase of cyber attacks in amount and severity has helped the CISO increase their standing. Especially given the last year of remote working and accelerated adoptions of technologies, the security team now finds itself a core component of the business and, critically for their reputation, a business-enabler. What should security leaders do next?
The ever-evolving role
Mansi Thapar, Head of Information Security of Jaquar Group, based in India, said, “The CISO role is evolving. Before, it was just the function or team IT dealt with but now the terms virus and hacking are commonly found across the business and it is now the one function that connects every department.”
The question CISOs should be asking themselves now, she added, was whether they need a separate department from the CIO or technology function.
The roundtable had CIOs as well as CISOs so it was an interesting question in which to start the debate. A business is always shifting imperceptibly as market and factors demand, but would technology leaders relish the opportunity to lose an entire team?
“For us the security team sits with the CTO’s function,” said Fergus Boyd, Head of IT Support, for the global private member’s club Soho House, “and it contains four arms, if you will.
“One, physical access like CCTV; two, software access so using products like Okta’s applications; three, data privacy and GDPR regulations, which also differ across the globe of course, and four, PCI. It’s not that we think security needs to sit there; it’s just that hospitality doesn’t have the luxury of separating the functions.”
Graeme Hackland, Williams F1 Racing’s CIO, agreed with the factor of cost in determining the shape of the security function.
“I’m CIO and also responsible for cyber-risk, but Formula 1 also doesn’t have the luxury of separating the two,” he said. “Instead, I’ve built an ecosystem of partners who manage our risk and augment our inhouse function. And, most importantly, I’ve pushed for a people-centric approach to security.”
Hackland’s people-centered approach touched upon one of the major themes of the debate: how can security leaders curate a culture of good security practice? For the F1 CIO he ensures everybody is part of the security team in some way and understands their role in protecting the business. He dismissed “treating colleagues as risk” as it undermines your trust in your team and pushes away the responsibility of the individual to the business.
This is a far more sustainable model of security—and resilient. Formula 1 is strict with internal attacks from rival teams: any team found behind a data attack risks ejection from the sport. That means external forces pose the biggest impact to Williams F1 Racing, according to Hackland, and its valuable intellectual property that goes on to be used in other industries.
Imperial College London’s CIO Juan Villamil can empathize. His University is pioneering countless research grants, including a vaccine for COVID-19, which acts as a risk magnet and also forces his team to be more flexible with their strategies than they’d like.
“Our role [as security and technology leaders] is to set standards and police against those standards,” he began. “The issue at Universities is that because of our broad structure—research, education, payroll, HR—we need to build a security system that allows for freedom and a bit more randomness.
“We adopt security models that can help us quickly and flexibly learn our assets, what they are and how they fit into our system. This classification helps us place the right controls to protect them and constantly learn the relative values of these assets. We’ve learned this mainly through our external agencies who are helping us with our threat intelligence,” he reported.
For Telefonica and its CISO, the remit is possibly even wider.
“Name it, we do it,” he stated. “From development IT to legal, HR to finance control, I like to think of the security team as renaissance people who need to understand everything to juggle the resources we have and prioritize what we protect.”
Qualities in tomorrow’s CISOs
He continued to explain that one of the key qualities of a CISO is empathy. Empathy with the rest of the business not only encourages better working relationships with counterparts but it also leads to better results through collaboration. It’s an opportunity to improve both the business and one’s leadership style, and not to be missed, he added.
And from the vendor perspective, Ben King, Chief Security Officer EMEA of Okta, the relative position of the CISO could be argued both ways.
“At Okta we’re lucky enough to have a CISO report directly to the CEO and I’m also happy to be part of an independent function. There are pros and cons to both models. One observation I have is that a CISO who sits within the technology and IT function normally has a higher chance of buy-in from his or her counterparts, but those who sit outside have more freedom.”
The roundtable all then mused on the cost of independence as a security team. The responsibility of the CISO has indeed increased, they agreed, but whether that means their relative position shifts really is down to the industry, region and type of business one finds oneself in. The common thread that every team needs to understand for the future is collaboration. That’s the only way for the security team to fulfil its duty in protecting the business whilst also being mindful of the progress that needs to be made each day.
This roundtable is brought to you in partnership with Okta.