Some years ago Chief Information Security Officers (CISOs) used to talk about the ‘Metro effect’. This was when their CEOs would descend on them brandishing an article in the free newspaper that detailed a cybersecurity incident in a rival organisation, demanding to be reassured that it couldn’t possibly happen to them. We hope that things have moved on since then but, as the recent TalkTalk security breach illustrates, it’s time for all CEOs to start developing a long-term relationship with their CISOs.
The obvious reason for doing this is to avoid the organisational impact that TalkTalk is currently experiencing – loss of revenue, falling share price, brand damage and an ongoing investigation. But for any CEO the career impact shouldn’t be underestimated – whether it’s calls for their resignation, or simply looking like a deer caught in the headlights on national television and stumbling over answers to fairly routine questions about business processes.
There’s lots of advice out there that aims to help cybersecurity practitioners explain what they do to C-suite executives – and similarly, there is advice for CEOs on the questions that they should ask their security teams. What’s really needed though is a relationship – a relationship that mirrors the one that CEOs have with their finance departments, with their HR departments, with any other part of their organisation’s normal business operations. It’s time for CEOs to engage in a different conversation and to build a long-term relationship with their cybersecurity teams rather than relying on a one-night stand when things go wrong.
What might this look like? Well, I was recently present at a security leadership team event at a global organisation, where the CEO not only attended and presented on the importance of security and how he saw it fitting into the organisation but also took questions in an open forum. How often does this happen? The CEO in question was also praised by the security team for ‘phoning up to offer his thanks' when security had been handled well. I wonder how many security teams in organisations have experienced this type of interaction with their CEO?
At a practical level though CEOs need to re-evaluate their relationship with security and they can do this in a number of ways:
- They need to examine their perception of security risk within their business. Has their business strategy become technology dependent without them realising it? What is their business really about? In many organisations, technology has become core over a period of time without the implications really being thought through from a business perspective.
- They need to look at the skillset on their Board. The TalkTalk Board has at least two members who should be able to advise on technology but technology and security are not synonymous … which brings us on to the next point. As any CEO will know information received by a Board will generally have been pre-digested by a number of people in intermediate roles and, for this reason, it’s vital that there’s someone on the Board who can ask the difficult questions. I’ve heard one CISO refer to the difficulty of getting information through the ‘treacle of middle management’. Is there anyone on the Board who can cut through this and advise on security issues?
- CEOs would do well to consider their company’s reporting structure for security. It makes a difference what the reporting structure onto the Board is – is it via the Chief Finance Officer (CFO), the Chief Technology Officer (CTO), or the Chief Risk Officer (CRO)? The CTO isn’t always the best place for security to sit as CTO’s, unsurprisingly, tend to champion technology rather than security.
- Similarly, how far away from the C-suite is the security expertise? Is there a Chief Information Security Officer (CISO)? Now while a CISO doesn’t usually sit on the Board the title itself gives a suggestion of how seriously security is taken in the organisation, as well as a useful indication of who that individual’s peers will be in other organisations. For organisations that don’t have a CISO, they may well be inadvertently excluding themselves from CISO-only information-sharing opportunities.
From the work that we’ve done with organisations, it is apparent that having a productive conversation is an important step in improving security. The TalkTalk breach demonstrates that CEOs have to take an active part in this conversation and to start building a relationship – will they listen and engage this time?
As part of CREST’s commitment to open access research, this text is available under a Creative Commons BY-NC-SA 4.0 licence. Please refer to our Copyright page for full details.
Photo by Kenny Louie