With recent high-profile cyberattacks such as WannaCry and NotPetya, cybersecurity has become a much hotter topic than it was five years ago. Today, boards are inviting CISOs to discuss security threats, vulnerabilities, and disaster recovery plans in the event of an attack. This has given CISOs a new level of visibility in the board room, but many are finding it difficult to succinctly describe the complex issues surrounding cybersecurity, while emphasizing evolving threats.
To learn more, I spoke with Brad Taylor, CEO at Proficio.
VMblog: How has the role
of the CISO changed over the past 5 years?
Brad Taylor: While the responsibilities of the CISO have remained the same
(protect the brand, assets, customer data, and availability of systems and data
for the organization), the role of the CISO has changed considerably over the
past five years. Previously, the CISO was focused on managing down the
organization through establishment of policies, controls, and staff. Today, the
CISO devotes a considerable amount of time and thought to managing up the organization
to the CIO, CEO, and board of directors concerning the corporation's security
posture, controls, preparedness, and trends. CISOs are now also tasked with managing
the changing regulatory requirements of the international community, as it
pertains to data privacy laws, breach disclosure requirements, and global
adversaries.
VMblog: Why has
cybersecurity become a top concern for the boardroom? How has this shift in
priorities directly impacted the CISOs visibility with the board?
Taylor: Cybersecurity is now a high-priority topic of discussion in every
boardroom. Over the past five years, we have seen an exponential increase in
the number of CISOs being invited to board meetings before a breach occurs to inform the board on what the company is
doing to prevent a breach, what additional resources they require going
forward, and how they compare to the industry counterparts. This increase in board
awareness is due to the continued increase in harmful breaches discussed in the
press and the damage it does to the brand and value of the company.
VMblog: How can the CISO
prepare for a presentation with the board? What issues should they raise?
Taylor: A CISO must have visibility to how their security controls
are performing, how often they are getting attacked, how often they are getting
compromised, if they're able to prevent a potential breach in action, where the
risks and weak areas are, where they need to enhance tools or resources in the
short term and long term, and how they measure success.
To add to that, CISOs must be able to discuss how they are protecting
the organization in the migration to the cloud, in addition to how they're supporting
issues around new international data privacy laws, such as GDPR, and other breach
disclosure laws.
VMblog: How has the
skills shortage impacted the CISOs recommendations to the board when it comes
to talent and resources?
Taylor: CISOs are informing their boards about the enormous lack of
skilled security professionals in the market across a broad range of
specializations. CISOs are also gaining approval from boards to begin to look
for outsourced shared services for this cyber security specialized talent in
the form of managed security services providers and experts-on-call retainers.
VMblog: What are some
tips you can share with CISOs who are looking to get approval on a budget
dedicated to cybersecurity?
Taylor: CISOs should avoid using security jargon, and inducing
uncertainty and doubt as many boards don't know what's happening in the
security industry. It's important to keep the conversation high-level, so avoid
going too in-depth with metrics they may not understand.
For a successful meeting with the board, it's important to
detail your program and where it currently stands - are you in the red, yellow,
or green level of preparedness? It's also important to share the average time
it takes to detect an attack, how detection times have increased or decreased,
and the ideal response time you would like to achieve. It's also important to
discuss the average time it takes to contain and remediate threats.
To put these different metrics in perspective, a CISO may want
to share industry standards to show how the company is currently stacking up,
and then develop a security scorecard to present where the weaknesses are, and
how the organization can improve. Boards want to avoid uncontrolled spending,
so describing how to effectively use funds with a hybrid approach to in-house
and outsourced resources is pivotal.
##