Executives discussing over laptop on CISO role

Five Ways To Get the Chief Information Security Officer Role Right

Recent attacks on NHS supplier software, the Russian strike on Ukrainian military through ViaSat, and the historically devastating NotPetya attack that nearly folded the global giant Maersk should serve as stark reminders of the damage wrought by cyberattacks.

The growing reliance on technology is making organisations increasingly vulnerable to cyber-attacks. Technology underpins most organisational processes, business growth is powered by tech-centric intellectual property, and most productivity gains are made through technological innovations.

Meanwhile, digital transformation and the post-pandemic shift to working from home is further increasing companies’ vulnerability to cyber-attack. Almost two thirds of ransomware claims in 2020 were due to open remote desktop protocol ports, increasingly in use as staff work from home, or in settings such as coffee shops where servers may be less secure.  A recent IBM study found that, when remote working was a factor in the breach, costs were an average of nearly $1 million greater than in breaches where remote working wasn’t a factor.

Yet cyber security has suffered from chronic underinvestment and boards don’t understand cyber risks so don’t want to own it. In one study, a majority of board directors said they “only somewhat” understand their company’s cyber security vulnerabilities.  Furthermore, in a survey of 800 global board directors, 83% identified cyber security as a top priority, but less than half had taken any dedicated action, such as requesting cyber security updates or involving themselves in their organisation’s cyber security threat response simulations.  This means they make poor hiring decisions and don’t govern cyber security effectively.

We are, therefore, in the middle of a perfect storm in cyber security.  At a time when we need clear direction the most, cyber security leadership is broken.  Cyber leadership is currently based on individual best effort, with no agreement on what ‘good’ looks like, with Chief Information Security Officers (CISOs) typically blinkered on the implementation of controls rather than understanding the risks to the business and driving cultural change accordingly.

That’s why we interviewed a range of topflight CEOs, CISOs and other C-suite executives to give a comprehensive view of what needs to be done to tackle the issue – the first time such a broad study has been conducted.

Based on our research, the crucial finding was that it all starts with having the right leader in place – there’s a need to develop a new generation of business-aligned CISOs who can best address these increasingly important issues.

Here are five ways companies can get the CISO role right.

CISOs should have board level influence

Too many boards see cyber security as a tech or IT issue – rather than a wider issue that impacts the whole of their business.  Indeed, the majority of CISOs are operating outside of the C-suite level.  Appointing topflight CISOs to boards means organisations can develop greater understanding of cyber issues across the C-suite. Boards should also invest in independent cyber security advisors.

They also need to be given power to influence as there is a talent shortage of top-draw CISOs which means they can pick and choose the best jobs.   When topflight CISOs find themselves in organisations where they don’t have influence – whether due to lack of board mandate, budget or support to drive cultural change, they leave – nearly all the CISOs we interviewed cited this as their main reason for changing roles.  The CISOs we spoke with were approached at least once per month with a serious job offer.

Churn costs businesses – we estimate the cost of a replacing a CISO to be at least £7.6 million for a typical large corporation, which encompasses average remuneration for the average CISO tenure of 2.3 years, associated hiring costs and an estimated budget wastage on unfinished cyber projects.  This means that the average CIO (to whom a majority of CISOs report) will cycle through two CISOs during their tenure, and the average CEO will cycle through three. If cyber security really is a top three board priority, that’s a worrying amount of churn.

CISOs need not just technical know-how, but top-quality communication and leadership skills

Because a key challenge is to shift the common perception amongst board members that cybersecurity risk is a technical problem or a compliance exercise, that also requires CISO to have strong communication skills so that they are able to convey and explain cybersecurity and priorities in clear, persuasive, non-jargon language.  CISOs should be hired, managed and measured as business leaders rather than technical experts.  There was universal agreement among the CISOs, CIOs, CTOs and NEDs we interviewed that CISOs need to be strong business leaders, encompassing a range of skills: leadership, people skills, influencing, stakeholder management, navigating complex matrix structures, and financial literacy.

CISOs should practice evolution, not revolution

There is a tendency for CISOs towards a ‘tear it up’ mentality, rather than building on the work of their predecessor. The frontier mindset is helpful in a new organisation, but in established functions it creates vulnerabilities.  Revolution in cyber security is only appropriate when a function is newly established or in need of remedial action.  In any other situation, a business-aligned CISO looks for continuity rather than radical change and seeks to build upon what their predecessor has done, rather than rip it up and start again. With the average CISO term just 2.3 years, there isn’t the bandwidth for radical change. In interviews, boards and leadership need to be wary of CISOs predisposed to change unless the function is new or failing. Stable growth is almost always the best approach. As one CEO said: “What organisations need most is consistency and to keep moving forward.”

The best CISOs not only protect the business, but enable it

Business-aligned CISOs are involved in activities that enable the business as well as protect it. As technology drives ever more business processes, a cyber security function that focuses on ‘no’ rather than ‘go’ will be a drag on innovation, productivity and profitability.  As one CISO told us, “We need to look for ways to facilitate new tools and encourage and foster those ideas and principles that get the business innovation moving faster because that’s what the business is there for. It’s not there to support security.”

Examples of how the CISO and the cyber security function can act as business enablers include providing unique data insight (producing meaningful and usable insights from their data on employees, customers, supply chain and environment, offering a more creative approach than risk-averse in-house lawyers) or cyber security service spin-offs (services their organisation can market for sale to others). Having a strong CISO in place is increasingly supporting enterprise valuation by reducing the amount of potential risk an investor needs to factor in.

Focus on risks rather than controls

There was one common theme among the CISOs we interviewed – cyber security management is risk management. As Joe Da Silva, CISO at RS Group, said, “It’s not about what I think is right, it’s about what’s right for the business and how it effectively manages that risk.” Too many CISOs seek gold-plated solutions without considering the impact, such as higher costs, drag on technological innovation, or poorer customer interfaces. For businesses with finite resources, a control-based approach to cyber security without a clear return on investment case is simply unacceptable.

Business-aligned CISOs highlight risks, explain the potential impact, offer a sliding scale of solutions, and ask the business to make informed risk-based decisions. This relies on the organisation having a mature approach to risk appetite. A mature cyber risk management model is one where cyber risk appetite is owned by the board, overseen by the audit committee in consultation with the CISO, and individual decisions about risk sit with business leaders.