The CISO role has evolved dramatically over the last decade, inline with the risk landscape a digitized world provides. In 2020 however a new crisis emerged, once more putting a brand’s security and risk leader front and center, for their cybersecurity response. In a few short months, the CISO has eked out more responsibility for themselves than ever before; how can they continue to push that momentum in a business-as-usual context? Or, has this year taught us that leaving a CISO alone until a crisis hits is a poor form of business management?
Deneen DeFiore, CISO, United Airlines; Selim Aissi, CISO, Ellie Mae; Erik Decker, Chief Security and Privacy Officer, University of Chicago Medicine; George Eapen, CISO, Petrofac; and Carl Eberling, CIO/CISO of Forcepoint, came together at The Studio @ Home to discuss the ever-developing relationship between a CISO and their C-Suite.
Who is the CISO?
“A CISO helps businesses navigate through crises,” began Carl Eberling. “When a business is disrupted it’s our role to assist, to ensure we become more effective and efficient. That requires alignment from the board and a mutual understanding of the expectations and executions we need to move forward.”
Eberling agreed that the CISO role has garnered more respect in 2020, not least because they have largely proved they can protect their teams whilst still allowing them to grow.
For United Airlines’ CISO, her sector and its role to play in a pandemic has shifted its focus on security, privacy and data.
“Every CISO has the attention of their Boards,” said Deneen DiFiore. “During a crisis the response has to match the severity of the situation. Threats increased, ransomware events increased on the news so I think the majority of business leaders now understand that threat protection is vital even if they didn’t already.”
In DiFiore’s remit now, the health and safety of her customers is even more important than they were before. Add that now to the collection of personal and health data information to adhere to travel requirements and biometric analytics for contactless experiences, and suddenly the CISO has to “enable the business to work on a different model, to restart securely with a different focus,” she added.
Proactivity is key
A former colleague of hers, George Eapen, also sat at the roundtable. Now the security lead at Petrofac, Eapen not only manages risk and cybersecurity within a sensitive industry but alongside certain geopolitical tensions that he has to keep up to date with.
“The importance of the CISO isn’t a new development,” he said, “and at least at Petrofac, the board was already attuned to the needs of the security team. The challenge isn’t about to grab their attention, it’s how to keep it.”
It was a nuanced change of direction in the debate. Eapen doesn’t believe a crisis should encourage a Board and its CISO to sit down together—they should already be doing that. And if they weren’t, then it’s time to shift tactics.
“The leadership team should see the CISO as a risk advisor and know they’re being taken care of,” he continued. “How I personally get their attention is by clearly articulating how we are embarking on security in business in a new world order; it’s not about risk, it’s about how we enable business continuity by managing risk.”
Erik Decker agreed with Eapen’s position. He didn’t agree with the assumption that a crisis alone allowed for communication between a CISO and their Board. He stated CISOs “must act as business leaders of an organization and have the appropriate access to information to do their jobs accordingly” and that it “was on [CISOs] to leverage those opportunities, always”.
He closed one of his points with: “Reactive CISOs in a crisis are just establishing a culture that you’re only needed during a crisis.”
It’s a strong statement but considering the acceleration of interior and exterior threats, Boards ought to be less reactive themselves when it comes to security. CISOs may not need seats at the table, but they should have direct access to one of those who does.
Selim Aissi summed up his views in three key roles.
“First, tactical: CISOs own the cyber-resilience of a business so consider your strategies with that in mind. Second, advisory: CISOs should be approachable and knowledgeable, and be a trusted advisor to the CEO when they call for it. Third, strategic.”