Cyber threats are a reality for most organizations. However, misconceptions and misunderstandings about the true nature of InfoSec are still hindering the protection of highly strategic information assets. Here, we offer to outline key pitfalls that CIOs should avoid in order to successfully lead their organizations towards an effective InfoSec practice.
Cyber Security is primarily a governance issue before being a technical one.
The attention of key senior executives like the CIO, the CISO and Board members must, therefore, be focused on people and process in the long-run, even if technology evidently remains a key vector in the delivery of any effective InfoSec framework.
Far from being a mere support function enabling business operations, InfoSec must be thought of as a proactive control function. Pouring money on reactive technical projects is costly and inefficient and a good InfoSec governance model must shift the focus towards the real implementation of efficient protective rules across all layers of the enterprise.
Where cyber maturity is low to start with, the implementation of these key controls will involve a cultural shift and will take time. To be successful, change must be pinned against a long-term InfoSec roadmap, delivered by an influential and experienced CISO whose role must shift from that of a firefighter to that of a transformation spearhead – and who must stay in charge long enough to make change happen.
Information Security must be seen as an ongoing structured practice, as opposed to a mere series of technical initiatives.
People across all silos of the organization manipulate information assets on a daily basis. A controls-based culture must, therefore, be embedded in all departments and at all levels of the business. However, that Cyber Security should be the concern of all stakeholders across the organization does not entail that it is 'everyone’s responsibility' – which in practice often drifts towards becoming 'no one’s responsibility'.
Widespread cyber awareness within the organization is important but not sufficient, and InfoSec responsibilities must be clearly distributed across IT, business units, and support functions in order to ensure accountability. A clear target operating model involving all stakeholders is essential to drive cyber security transformation and the shift in mindset it often requires. This is more efficient – and considerably cheaper in the long run – than any awareness development program.
The Current Role of most CISOs Lacks Clarity and Needs to Change
Reactive, expensive and inefficient practices are still underpinning most InfoSec strategies. As we have argued in previous articles, it is an issue that must be addressed primarily at the people and process levels through an effective cyber security governance framework – instead of traditional approaches that have historically treated the problem as a mere IT problem and focused only on technology solutions.
The three key pieces of this model are the CISO, the CIO and the Board, whose roles in protecting the organization against cyber threats must be clearly outlined and commonly understood. However, each of those is currently facing its own challenges in terms of maturity.
In spite of the function having been in existence for decades, the CISO’s role and mission still lack clarity and consistency in many large organizations. As a result, the formal distinction between the first and second line of defense in the traditional 'three lines of defense mode' is often blurred, and the whole model is generally poorly applied.
The structural pressure that the emergence of Shadow IT and Cloud Computing are exercising on the IT environment of all organisations is forcing an inevitable and ongoing shift in the role of CIOs. They must aim for more cooperation and influence with both internal and external stakeholders and are forced to focus less on the purely technological aspects of the role.
The Board – often scared by recent data breaches – is in the process of becoming fully aware of the cyber security challenges that its organisation is faced with, and its behaviour with regard to InfoSec governance must reflect that acknowledgement. The Board must be consistent in its expectations and explicitly incentivise key senior executives on cyber protection, and not just on product delivery, revenue generation or cost cutting. The reporting line of the CISO, in particular, must unambiguously lie at Board level in order to reflect the importance and the consideration that should be given to this crucial role. The reporting line should be determined on the basis of the challenges the role is facing. Arbitrary separations of duty considerations must be avoided at all costs as they simply fuel internal politics and inefficiencies, and in practice often hinder the implementation of much needed changes.
In such context, the time has come to deconstruct and re-forge the former legacy role of the CISO. Three distinct functions can be identified that would allow the lines between risk management and controls enforcement tasks to be drawn more clearly around traditional PDCA principles.
This new operating model would benefit the CIO by providing them with a stronger and more efficient cyber governance framework. The CISO would also gain in seniority and consideration in the process and could become a key ally to the CIO around digital transformation challenges.