GRC Tuesdays: The CISO is not the enemy!
A few days ago, I was having dinner with a friend who happens to be the CISO (Chief Information Security Officer) at a medium size software start-up.
Whilst discussing how we report our actions to our management, he mentioned that he was asked to deliver a quarterly report to his board of directors on all things cybersecurity, including compliance with ever changing regulations of course. A comment he made was that, during these sessions, he felt like a gladiator descending into the arena to fight the lions…
And instead of being offered executive support, he felt he was treated as a scapegoat for the increasingly complex cyberthreat environment and was associated to any breaches that happened on the market.
Ave Caesar, morituri te salutant
With all the recent data protection and privacy regulations being enforced worldwide and the variety of attacks that a company can face daily, I could only understand how he must feel in his function and the gladiator analogy. Especially without the support of executives.
But it doesn’t have to be this way.
I firmly believe that CISO now have a dual role: protecting the organization and its most precious assets (including employee and customer information), but also helping users run secure processes more easily and smoothly. Especially in the wave of digital transformation that is spreading across businesses of all shapes and sizes to help them make the most of their IT investments.
Protecting the assets and supporting the business is not incompatible
First and foremost, I think most employees now perfectly understand the role and importance of cybersecurity. Who doesn’t have someone in their circle that had their email account hacked? Or a fraudulent online credit card usage they had to dispute?
Employees know that businesses are under constant threats and I do believe that they understand the need for more stricter security policies.
Nevertheless, I can also understand that some consider secure processes to be tedious if not cumbersome. For instance: logging onto various systems with multiple passwords, requiring access to system XYZ without even knowing exactly how it operates so being unsure what precise role to ask for, etc.
That’s where the CISO can provide great insights and support: by helping automate most of these tasks with tools such as Single Sign-On or Identity Management and Access Governance solutions for instance to enable the provisioning of user roles whenever an employee is onboarded or changes roles or to reduce the number of passwords to remember without compromising on secure access. This will make the life of employees easier and help them protect the organization without additional effort.
Hopefully, it will also prevent people from writing their password on a post-it that will be glued to their computer screen. But that’s a topic for another blog…
Explain, explain and explain again
There is often a perception that cybersecurity is just to prevent external parties to get inside a company’s network and doing some damage. But there is another facet that I think is often overlooked: it’s also to protect the employees themselves.
Let’s assume you are in the HR department and there has been a leak with regards to employee pay grades. If all access to sensitive information is traced, you, as an HR employee who could be amongst the suspects, will be relieved as you won’t even have to prove your innocence. Just by looking at the logs, your integrity will never even be questioned.
I think executives must play the game though and show their full support to cybersecurity – and by this to the CISO they trust with the most precious information assets. Management must explain clearly to business owners why they should all be behind the CISO.
Only by the right tone at the top can all employees understand that this is as much to protect the organization as to protect them – and their personal information – from adverse events. They will then become an integral part of the cyber defense system of the organization: the human firewall.
Armed with dedicated tool, trust from their management and support from all employees, it’s time for cybersecurity experts to get back into the spotlight and take their rightful place as trusted business partners. Thanks to the CISO and cybersecurity experts, the organization will be ready.
So travelling back in time from ancient Rome to ancient Greece, and as the Spartans responded to Xerxes I of Persia at the Battle of Thermopylae: molon labe!
Are you a CISO facing this situation? If so, how do you manage it? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard