Virtualization Technology News and Information
VMblog's Expert Interviews: Proficio Talks Cybersecurity and CISO Visibility


With recent high-profile cyberattacks such as WannaCry and NotPetya, cybersecurity has become a much hotter topic than it was five years ago.  Today, boards are inviting CISOs to discuss security threats, vulnerabilities, and disaster recovery plans in the event of an attack.  This has given CISOs a new level of visibility in the board room, but many are finding it difficult to succinctly describe the complex issues surrounding cybersecurity, while emphasizing evolving threats.

To learn more, I spoke with Brad Taylor, CEO at Proficio.

VMblog:  How has the role of the CISO changed over the past 5 years?

Brad Taylor:  While the responsibilities of the CISO have remained the same (protect the brand, assets, customer data, and availability of systems and data for the organization), the role of the CISO has changed considerably over the past five years. Previously, the CISO was focused on managing down the organization through establishment of policies, controls, and staff. Today, the CISO devotes a considerable amount of time and thought to managing up the organization to the CIO, CEO, and board of directors concerning the corporation's security posture, controls, preparedness, and trends. CISOs are now also tasked with managing the changing regulatory requirements of the international community, as it pertains to data privacy laws, breach disclosure requirements, and global adversaries. 

VMblog:  Why has cybersecurity become a top concern for the boardroom?  How has this shift in priorities directly impacted the CISOs visibility with the board? 

Taylor:  Cybersecurity is now a high-priority topic of discussion in every boardroom. Over the past five years, we have seen an exponential increase in the number of CISOs being invited to board meetings before a breach occurs to inform the board on what the company is doing to prevent a breach, what additional resources they require going forward, and how they compare to the industry counterparts. This increase in board awareness is due to the continued increase in harmful breaches discussed in the press and the damage it does to the brand and value of the company.

VMblog:  How can the CISO prepare for a presentation with the board?  What issues should they raise?

Taylor:  A CISO must have visibility to how their security controls are performing, how often they are getting attacked, how often they are getting compromised, if they're able to prevent a potential breach in action, where the risks and weak areas are, where they need to enhance tools or resources in the short term and long term, and how they measure success.

To add to that, CISOs must be able to discuss how they are protecting the organization in the migration to the cloud, in addition to how they're supporting issues around new international data privacy laws, such as GDPR, and other breach disclosure laws.

VMblog:  How has the skills shortage impacted the CISOs recommendations to the board when it comes to talent and resources?

Taylor:  CISOs are informing their boards about the enormous lack of skilled security professionals in the market across a broad range of specializations. CISOs are also gaining approval from boards to begin to look for outsourced shared services for this cyber security specialized talent in the form of managed security services providers and experts-on-call retainers.

VMblog:  What are some tips you can share with CISOs who are looking to get approval on a budget dedicated to cybersecurity?

Taylor:  CISOs should avoid using security jargon, and inducing uncertainty and doubt as many boards don't know what's happening in the security industry. It's important to keep the conversation high-level, so avoid going too in-depth with metrics they may not understand.

For a successful meeting with the board, it's important to detail your program and where it currently stands - are you in the red, yellow, or green level of preparedness? It's also important to share the average time it takes to detect an attack, how detection times have increased or decreased, and the ideal response time you would like to achieve. It's also important to discuss the average time it takes to contain and remediate threats.  

To put these different metrics in perspective, a CISO may want to share industry standards to show how the company is currently stacking up, and then develop a security scorecard to present where the weaknesses are, and how the organization can improve. Boards want to avoid uncontrolled spending, so describing how to effectively use funds with a hybrid approach to in-house and outsourced resources is pivotal.


Published Wednesday, August 02, 2017 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2017>