One of the few success stories of 2020 was the cementing of security as a key business function. CISOs and their teams worked intensely to both secure the business as its teams went remote overnight and strategically thereafter to keep a now disparate workforce protected. If there was a trend emerging of security having more visibility at board-level, COVID-19 accelerated it. Does that then also mean a new seat at the table for a Chief Risk Officer? Emma Sinden moderated a debate to answer that very question as Keith Baxter, CIO, Anthony Nicholas Group; Alejandro Becerra, Group CISO, Telefonica; Nico Fischbach, Global CTO, Forcepoint; and Brian Brackenborough, CISO, Channel 4, pondered on who would be the right person to manage risk, IT and security in the future.
CISOs in 2020
First, however, they reviewed the state of affairs at present.
“The security department is getting more budget, or more budget than we thought,” said Brian Brackenborough, “and we were pleasantly surprised to learn our projects were being continued from 2019 onwards, despite other areas having freezes.”
“We don’t have huge budgets but it’s clear we have far more money than five years ago,” remarked Alejandro Becerra. “That means at C-level the requirements of the security function are being heard and understood, and that’s a good thing. We still have to be careful with how we spend our budgets of course and examine where the investment goes so we do not waste anything, but the overall picture is positive.”
The importance of the security function is reflected, therefore, in its budgetary portion. And even if the focus of those budgets has shifted as businesses become more used to remote working, as Nico Fischbach detailed in his remarks, the question of responsibility becomes ever more important.
CISO vs CRO
The CISO and the Chief Risk Officer perform slightly different roles, but because of the latter’s presence on specific boardtables, questions have arisen about whether to get a seat at the table, the CISO should evolve into the risk lead too.
“It used to be a big thing to get CISO’s on the board,” he said, “but I don’t agree. It doesn’t matter where you are [as a CISO] as long as you can be effective and have people around you who support your plans.”
It’s more of a balance, said Fischbach.
“The CISO, CIO and Chief Risk Officer have been working as a team during the pandemic. It’s brought them closer together. But there is still some fragmentation as each leader views a challenge with their own lens”, he observed. “Where CISOs sit on boards you may find they’ve had past security breaches or they operate in a particularly sensitive sector; otherwise they report into the CIO and the Chief Risk Officer operates independently.”
The important reason for that independence, according to Keith Baxter, is the conflict of interest that may lie in a CISO and Chief Risk Officer being the same person.
“As a CISO you have a responsibility to deliver on the security needs of the business but the Chief Risk Officer has to be able to check whether they’re delivered correctly,” he said, “and that can’t be done by the same person.”
He went on to explain that for the CISO to get more responsibility, they shouldn’t chase the Chief Risk Officer role but instead ensure the board understands the importance of security and curate a culture of security that reflects well on your function. He gave an example.
“We built in security training right through the workforce. Everyone becomes a security officer in effect and by that they become gatekeepers and not risk points,” he continued. “And if someone has privileged access they are trained to an even higher degree so they are security officers in that specific area, like Microsoft Azure, for example. It’s a different model but it seems to work and, crucially, gives confidence to the rest of the leadership team that we have mature strategies in place.”
Almost unanimously the roundtable believed that the Chief Risk Officer was not the next natural role for the CISO seeking more funding for their security needs. For one, the possible increased funding would be offset by the conflict of interest presented in you having to moderate your own strategies’ risks, and two, a far better and sustainable approach would be to maximize your businesses understanding of security for that all important cultural acceptance. And considering CISOs are one of the few functions allowed to progress with their strategies, it would be a missed opportunity to not focus on those for now.