The Role of the CISO

Conclusion: Cyber security is now one of the top priorities in many organisations. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to being regarded as a strategic enterprise risk. The role of the Chief Information Security Officer (CISO) has traditionally required strong technology skills to protect the organisation from security incidents. With boards and executives now requiring executive-level cyber leadership and accountability, the role of the CISO must evolve beyond the traditional technology domain to also encompass strategy, stewardship and compliance as well as being a trusted business advisor.

Conclusion: Increasing emphasis in the media and in industry literature on cyber security and the risks of data breaches with service disruptions is likely to get extra attention in future from the board and their audit and risk committee (or ICT governance group).

Not only must the committee be concerned with risk prevention, astute members will also want to know how the organisation will recover from a data breach or ransomware attempt and restore the organisation’s operations, if an unexpected disruption to services occurs.

To minimise business risks, committee members must stay aware of local and international cyber security incidents, how they occurred and were addressed and what they need to do to make sure they are not replicated in their organisation.

Conclusion: Over the past decade, the role of the Chief Information Security Officer (CISO) has risen to be one of great importance in many large and mid-sized organisations. While this remains the case, protecting information assets is more likely to be successful through ensuring all threats are managed under the same set of policies and principles. Managing threats to organisations can no longer be separated between departments or siloed out to service providers. With data in the Cloud and people on the ground in new geographies, the need to evolve the relationship between logical and physical controls has increased. The key to holistic security is to bring all aspects of security under one umbrella to ensure all bases are covered.

Conclusion: In a world where organisations increasingly rely on the successful performance of their business systems it is important IT management takes the lead in managing the risk of systems failure and cyber security breaches from all sources.

Boards are ultimately responsible for monitoring risks. They direct IT (and business) management to create a framework and strategy to manage systems, including data, and cyber security risks. The framework must include policies, supported by processes and practices to ensure business systems operate successfully and the data stored is not compromised.

Conclusion: Whilst the forthcoming General Data Protection Regulation (GDPR) is a European regulation, some Australian organisations are likely to be impacted and will need to comply. One of the requirements of the regulation is to appoint a Data Protection Officer (DPO), whose job role has very specific duties and legal responsibilities which are defined as part of the GDPR.

However, the guidelines are not completely clear as to when it is mandatory for an organisation to appoint a DPO. Australian organisations should consider if, 1: will they need to comply with the GDPR, and, 2: will they need to appoint a DPO?

"If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.
"Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world."

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 

Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.

Conclusion: The role of a cyber security executive is challenging at the best of times, as they need to continually strike a balance between informing and influencing, without continually alarming. But the context surrounding why an organisation creates a cyber security executive role is critical to the success of cyber risk management. Executive level commitment is required continually to ensure that the cyber security executive’s message and mandate are understood by all. Ultimately, a neutered cyber security executive will result in a fragile organisation with excessive, inappropriate, or inadequate controls. Organisations with controls that are mismatched to their objectives will be easy pickings for both attackers and regulators.

Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool purchases will help. Instead, organisations aspiring to improve their cyber security maturity should focus on business alignment through risk driven conversations, and addressing and automating technical hygiene issues.

Conclusion: There are a number of traits and behaviours to look for in an effective security leader, which are different from a traditional IT leader. The measure of an effective CISO is not whether their organisation has had a breach, or not. The measures of an effective CISO are the types of incidents their organisation has, and how their organisation responds to these. Consequently, an effective CISO is a requisite component for comprehensive risk management and organisational resilience.

Conclusion: As physical and digital supply chains become more integrated across organisational, regional, and national boundaries, the potential impact of an emergency or crisis can be far reaching. A proactive approach to crisis management requires an awareness of all the high-impact crisis and emergency events that could affect an organisation, and requires appropriate tools for risk assessment and active hazard management.

Conclusion: The rise in the Australian Dollar is encouraging many organisations to investigate using IT and business process service providers outside the country as a means of reducing their cost base. There is no doubt that ongoing savings are possible, but they will only be sustained if the risks are managed and IT professionals responsible for outcomes are diligent and track performance.

Conclusion: Effective and responsible management of IT security should concern executives at the highest levels of management. Leading practice suggests, but does not mandate, separation of the IT security function from the IT management function. One of the ways that this can be achieved is with the appointment of a Chief Information Security Officer (CISO) with total accountability for all IT security matters within the organisation. A pro forma Position Description for the CISO role is provided herein.

Conclusion: Organisations that do not treat information security risks seriously could pay a heavy price if a major incident occurs and they are unprepared to deal with it.