CISO and the C-Suite
Author: Bart Hall
A recent BAI Banking Strategies article noted that in a survey of more than 200 U.S.-based security leaders, 60 percent of respondents stated they were certain they were victimized or have reason to believe they might have been victims of social engineering attacks. Additionally, of those attacks, 65 percent of the malicious activity pertained in some way to employees’ login credentials, and 17 percent involved accounts belonging to customers.
Given this reality, financial institutions must evaluate their cybersecurity postures in order to maintain integrity with customers, employees and the industry as a whole. The article suggested four proactive moves institutions should consider:
- Ensure you have a senior-level executive on your team dedicated to overseeing your cybersecurity program. Ideally, they should be a member of your C-suite or a chief security officer.
- Explore options for managed detection and response (MDR) partners who can monitor, detect and respond to threats, leveraging both technology and human analysis to augment your staff—thus enabling them to focus on other high priority objectives.
- Evaluate potential partners to ensure you have complete visibility into what happens behind the scenes of your security provider’s operations.
- Employ periodic penetration test assessments to stay a step ahead of the hackers, and identify whether your systems, services and data are exposed to malicious actors.
While threats raise concerns for every enterprise, the stakes become even greater for financial institutions because of the sensitive nature of the information they keep. Security represents a complex and evolving area. While the tips outlined above make for a good start to secure your organization’s sensitive information, remember, it’s just a start.
Of the 4 moves noted, I want to expand on what I believe is the most critical of the 4. Having a senior-level executive on your team dedicated to overseeing your cybersecurity program is no longer an option, it is a necessity. Adding a CISO to the C-suite is the right move. Some institutions are halfway there, they added a CISO but left them under the direction of the CIO. Fortunately, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest
because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that "security" is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have "security" in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures. Over the past few years, federal
, and state
regulatory bodies, have started dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary go-to-market platform.
A proper reporting structure is crucial when it comes not only for mitigating liability and compliance risks, but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO
, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place. The whole concept of a CIO indicates that that person has full control of the company's infrastructure and IT decisions. A CISO would typically be a part of that, but that's not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn't mean that the CISO should report to the CIO — just like the general counsel shouldn't report to the executive vice president of sales just because the legal department works extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.
Once organizations understand that Cybersecurity is about monetary risk and it is a business issue and not a tech issue, more and more institutions will recognize CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT.
According to a 2018 PwC Global Investor Survey, Cybersecurity was the No. 1 biggest threat to business. Since the CISO is, first and foremost, a risk manager, it makes sense that the CISO needs to be part of the organization's risk hierarchy instead of the IT department. It’s time to elevate the CISO to the right place in the organization. Welcome to the C-Suite Mr. CISO.
NXTsoft advocates for a C-suite level CISO at all financial institutions and has created several cybersecurity training, education and security products to help make the CISO job easier and more effective at combating cyber threats. Our ThreatAdvice vCISO solution can assist in all areas of security oversight.
You can learn more about the ThreatAdvice vCISO solution here
September 23, 2019