Enterprise Cyber Security And The Role Of The C-Suite
A look at who should own cyber risk and transforming cyber security culture
Steve Durbin joined episode #91 of Task Force 7 Radio this week to talk with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, and Andy Bonillo, VP & CISO of Ciena. Durbin is currently the Managing Director of the Information Security Forum, an independent, not-for-profit organization with a membership comprising many of the world’s leading organizations featured on the Fortune 500 and Forbes 2000 lists.
Durbin covered who in the organization should own cyber risk, how we should define the role of the CEO in cyber security, and how executives should posture cyber security as a growth enabler. He also spoke about what CEO's should be prioritizing in terms of the organization's cyber security strategy, what are some of the top-down changes that need to be implemented in order to create a resilient culture, and how to drive transformational change to make cyber security everyone's responsibility.
Where Should CISOs Report?
Rettas dove right in asking about the culture of cyber security and where CISO should report. When we talk about cyber security, it is often viewed as a technology issue, so they often report to the Chief Technology Officer or the Chief Information Officer in some respects in some companies, but are there risks to leaving it squarely on the shoulders of the CIO no matter how capable he or she may be?
According to Durbin, there are challenges with viewing cyber security only through the lens of technology even though it is all digitally enabled so it’s a natural place to go. However, going forward he said that he would “like to see organizations taking a little bit of a broader perspective, and viewing it more from the risk standpoint, so transferring the security guys more into that risk space. I think that gives for a much more rounded perspective on cyber security across the enterprise.”
See Related: “Taking On The Leading Role In Cyber Security”
Reporting to a Chief Risk Officer seems to be a better way of doing it said Durbin, “Because when I look at cyber security, it is all about the management of risk. But putting it as I say into this technology bucket, we leave behind some of those elements. We need to understand the risk appetite of the organization, in order to make the right cyber security decisions in terms of where we're going to be placing resources and so on.”
“It's not that CIOs perhaps don't make those calls, but they tend to have a different perspective, and it tends to be about information management, it tends to be about digital, from the regard of how do I protect the technology related to it and the software and so on, and security tends to have a fraction of the overall budget. Whereas if you move it into risk, then we're looking at the way in which an organization manages risk with cyber security as a huge component of course,” Durbin added.
The Role Of The CEO In Cyber Security
Rettas decided to “move up the ladder a little bit with the CEO.” Durbin explained that increasingly we’re seeing legislators turn up the hat on their CEO to say they have to step it up. As someone who runs an organization, Durbin believes that the CEO also has a responsibility for cyber security.
“It's something that I actually wouldn't want to offload to anybody else from a leadership standpoint. Certainly I'm going to want to have the right people at the technical level, at the risk level, at the legislative level to support me in that. But it's about setting the right tone, the culture, and leading by example frankly. This is an area where you really do have to not just talk the talk but walk the walk as well,” Durbin said.
Rettas noted that Durbin is talking about cyber security as a growth enabler and not an obstacle or cost of doing business. “So, are enough organizations including it as part of their business strategy?” Rettas asked.
Durbin said that if we don’t include it as a growth enabler, “then we are going to run the risk of it either falling by the wayside from a business strategy standpoint, or being viewed as we were just talking as being this cost thing that we have to do. I think if you can flip it, if you can say, ‘We are in a cyber-enabled environment, we are a cyber-enabled organization, how can we use that to our advantage to drive our business forward?’ Then, you quite naturally begin to think of it from that growth standpoint rather than something that you have to go back round and fix because you need to do it.”
The Less Apparent Impacts Of A Security Breach
Beyond the impact on the brand and the operations and things that people commonly see Rettas asked what are some of these intrinsic things that happen to organizations when they get breached?
Durbin talked about how some things don’t hit headlines because it is just the day-to-day operations stuff. If the impact of the breach is just on the simple resourcing across the enterprise, it slows you down; it stops you from doing what you're there to do. So it has an impact on people, has an impact on your business focus, and very often the dollar impact of that far exceeds anything related to the breach itself.
See Related: “Cyber Security Headlines Of 2019 Bring Lessons Learned”
“So it's this invisible cost, if I could put it that way, of lost opportunity effectively, because you're having to divert resources from what they would normally be doing to fixing a breach, and to make sure the hub that you've got your systems back up and running effectively, to making sure that your sales team is able to operate effectively, but you're not going to be making the same mistakes again,” Durbin added.
He also cautions that we shouldn’t underestimate the drain that it places on an organization because it’s knocks it off course and is difficult to plan for. We can plan for the day when a breach does happen and have a cyber response team in place and understand who's going to be up in terms of talking to the press, the stake holders and so on. And we can have our technical teams who can practice, rehearse, how to get systems back up and running. But it's very difficult for us to rehearse how the business itself is going to respond. We don't know for instance how clients might respond to a breach. We need to reassure them, well, that's going to be taking time out of the marketing directors day and indeed some of the sales leaders day, not to mention some of the senior leaders.
“And those are some of the intangibles that I think a breach really begins to impact. Increasingly, of course, we're also starting to see significant breaches resulting in class action lawsuits. So now you've brought your legal team in, and the cost associated with all of that and the distraction cost too, because you shouldn't underestimate the amount of leadership time that is taken up, just in terms of attending, sitting down with attorneys and really thinking through some of the ways in which we're going to respond to those sorts of lawsuits. That's becoming something more of a norm as I say with some of the larger breaches that we've seen,” Durbin elaborated.
Balancing Cyber Innovation With The Basics
Durbin advised enterprises to make sure they are providing their teams with the most adequate resources to get the job done — so that you have the basics covered — and also provide some room for them to go be a little bit innovative and expansive in order to drive the business forward.
One of the biggest challenges in finding that balance is implementing cultural change. It’s about making sure that everybody across the enterprise understands the role that they play in enabling a cyber resilient culture, and that really is everybody. One of the things about organizations today that we didn’t have to struggle with just a short number of years ago is that we are all digitally enabled. So, Durbin offered some advice for cyber security leaders:
- It’s about leadership by example. You cannot as the leader of a business, advocate that everybody password protects their smart phone if you don't do it yourself.
- Be transparent. Take the time to explain, help people understand why certain things are the way they are, and align the direction the company is going (the technology is going) to enable that.
- Reinforce the need for there to be strong security in certain areas, but not necessarily others. Meaning, we can’t possibly hope to secure every single digital asset across the enterprise – it’s impossible.
- Focus down on what Durbin calls the crown jewels: what is the absolutely essential to you to have secured across your enterprise and start there, and start by looking as well at the sorts of job functions need to be accessing that information.
“So I think we need to be taking a lot more time out to understand business flows, asset flows, digital flows, thinking about how we're securing them, thinking about who needs to access them, explaining that very clearly, having policies that are easy to implement, and as I said having your leadership lead by example,” Durbin explained.
More Effective Security Awareness
Durbin talked about how some of the most effective security awareness programs that he has seen have related security to what people do outside of the workplace. Why? Because we all have a vested interested in keeping ourselves secure at home (especially if you have kids). So, for example, by asking employees how many have routers at home and know how to change the password on it — simple things like that create a conversation point at the water cooler. Then, things start to spread as everybody starts to talk about it. It’s a simple way to raise awareness.
“So I think those are the sorts of things from the organizational standpoint that we can do. It's about helping to make every individual who works in our organization understand the things that are going to make them more secure in the home environment, and then have them bring that back into the workplace,” Durbin said. “Let's face it, with IoT and the way in which our homes are becoming much more digitally enabled, then there's plenty of opportunities for the bad guys to get into our homes and get access to information we'd really rather that they didn't.”
While talking about people, Rettas then switched gears to the cyber security talent shortage. This is where we need to be innovative, according to Durbin. But there are a number of things organizations can do:
- We need to recognize there is a shortage and it’s not going away any time soon, and so we have to adapt to that.
- We need to stop fishing in the pond that we’ve always been fishing in. Meaning, with a lot of the security vacancies out there, we don't necessarily need to have people who have got 20, 30 years of experience in this space, quite the opposite.
- Let's look much more at the overall employee value proposition that we can put together to attract people into security versus just security qualifications.
- Make sure people understand that cyber security is a vibrant space, it is challenging, but you don’t necessarily need a deeply technical background. It’s more important that you’re a fast learner.
“We’re all hunting for the same unicorn, right? The unicorn doesn't exist,” said Durbin, who noted that he is much more in favor of things like apprenticeships, working with colleges, and capturing people at much earlier stages. “Bring them in at an early stage, get them to understand how they can use some of their skills and their talents, have some of these outreach programs. That's how we're going to solve the problem. We're not going to solve the problem by going on a unicorn hunt.”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub. To listen to this and past episodes, click here.