Attention CISOs: Your BFF should be the CIO or other C-level execs.
That’s right. To learn how to deal with boards of directors your best friend forever should be the people who’ve been talking to them for decades.
That’s according to Greig Arnold, a vice-president in the office of CISO at security vendor Optiv where he advises customers and a former CISO of KPMG in the U.S.
The CISO is a relatively young post, he told an Optiv customer event in Toronto this week. “We’ve come a long way but I think we can do better. So one of things we can do is become friends with the CIO, with the CMO and ask them how they report on business risk to the board. Ask them what you can do better. Ask them what they do. Get coaching from them.”
“When you ask people for help, most want to help you.”
He also urges CISOs to take advantage of free resources from the National Association of Corporate Directors, including this report. on what boards want to hear.
This is particularly important as the role of CISO is shifting to chief risk officer, he said. “We have to learn to talk about the business; we have to learn to talk about how security reduces business risk. So every time we say we want to spend an extra dollar on cybersecuity what’s the risk? What’s the reward? … We need to explain to the business why spending $10 with us is better than $10 on marketing” or another department.
“We can’t say we need next gen firewalls, because they have no idea what that means.” Better is to say ‘It helps stop bad guys from stealing information.’”
Info sec leaders also have to plan three years ahead to keep up with threat actors, he maintained – not in terms of technology but of what will need during that time to be protected – then think about what technologies will be needed to get there.
At one point a member of the audience asked if a CISO should report to the CIO or the IT department. “The answer is less who he reports to and more who cares,” Arnold replied. “If reporting to a CIO who believes about cybersecurity and sees you as a peer and promotes you to the board to talk about it, that’s a good place to be.”
“What I’m seeing at the board level is they care about cyber security, know it’s a problem, they don’t know what it it and too often they think ‘We have a CISO, we have it covered’ … The key is we’ve got to speak their (business) language, got to educate them and get them involved.”
What can be effective is to tell the board ‘Of these 100 things we need help with these two,’” he added – and it doesn’t matter which two: (passwords, access, compliance … ). “If you make the board responsible making sure everyone knowing about two things they get involved … “But if all we do is provide them with reports…. they’ll put it away.”
In an interview Arnold, who has held top cyber jobs at other companies including JP Morgan Chase, talked about the problems of being a CISO.
“The biggest challenge I faced was being able to do the operations and tactical data to day running of cyber security in IT as well as being able to plan for the future around the business and what we needed to protect. It felt like we were constantly in fire-fighting mode because of the nature of the business everything evolves so rapidly we often [were] being reactive rather than proactive. That’s still a big challenge today – we’re still very reactive. But getting to the proactive and building the program to where you have a solid understanding and knowing the journey to where you want to get and assigning the resources and the funds to do the right think in the right areas is the biggest challenge.”
In a separate interview keynote speaker and former Canadian national security advisor Richard Fadden, talked about the need to change the composition of boards to get management to take cyber security more seriously.
“I still think boards in particular worry more about the financial bottom line and maybe marketing and the core business than they do about IT and cyber security … There hasn’t been a change in culture in boards of directors. Why? Ir you look at he composition of boards by and large they tend to be lawyers more than anything else, they tend to be financial experts. And people tend to talk about things they know about. Most boards don’t have IT experts on them. One way to help boards deal with this is issue is to start getting people appointed with technical backgrounds more than they have [now].”
Some six months ago Fadden told a cyber security conference there needs to be more threat information sharing between Canadian governments and the private sector. “My understanding is now it’s a little bit better,” he said, but attackers are still ahead. The upcoming federal mandatory data breach reporting regulations will be helpful, he said. “But on things like this (threat information sharing) its almost important to change the (corporate) culture. The U.S. and the U.K. are ahead of us on that, Fadden said, adding he fears only a “massive” cyber incident will force organizations to to accelerate the process.
“One of the problems we have in Canada is we don’t really regard ourselves as under threat …We are fortunate in that we’re probably not anyone’s first target, and we are surrounded by three oceans and the U.S., so the Ashley Madisons, Equifax, the breach at the NRC (National Research Council) don’t register as immediate and direct threats in the minds of most Canadians.”
