Maksim Kabakou - Fotolia
Security Think Tank: Reframing CISO-boardroom relations
Security learning is a career-long process, so as 2021 draws to a close, participants in the Computer Weekly Security Think Tank sum up the most important cyber lessons they’ve taken away from the past 12 months
The year 2021 was touted as a time to step back and review decisions that organisations had made in haste at a time of crisis that materially impacted their risk profile. The events of 2020 saw a major upheaval in the business landscape around the globe, placing high expectations on information security teams to protect organisations’ information, while enabling a disorientated remote workforce to continue business operations securely.
To accommodate new business requirements, digital transformation plans were accelerated, new technologies were adopted with minimal due diligence, and temporary measures were put in place to limit disruption to the supply chain. It was inevitable that the speed of those changes would introduce opportunity for risk.
Ideally, organisations would have moved from responding and adjusting to the global pandemic, to a new era of resuming “normal” operations that would allow business to get back in control and look to the future. But disruption did not wane as governments worldwide continued to yo-yo between lockdowns, partial lockdowns and easing of restrictions, cementing hybrid working as a permanent fixture – perhaps the only certainty for chief information security officers (CISOs) and their teams.
This serves to highlight a lesson for risk and security practitioners – the speed of digital business, coupled with an uncertain world, means we can never truly be in complete control of risk. We must continue to rethink how we work with business to maintain information risk within acceptable, but dynamically changing, levels of tolerance.
Information security practitioners need to be nimble, conciliatory and creative to keep pace with the rate of digital transformation, business innovation and the constant flux in working arrangements. Planning for normality is futile – expecting the unknown will enable both parties to deliver a rapid response that is more informed and assured.
For many CISOs, the pandemic meant they suddenly had the ear of the board and secured long-awaited investment to implement high-priority initiatives that met business demands. As threats morph, regulatory requirements tighten and attackers become more stealthy in their tactics, ongoing management of this business relationship is vital.
So, 2021 should be remembered as the year when CISOs and boards started to reframe their relationship beyond emergency, high-tempo demands with a view to embedding deeper, more functional collaboration. As ever, this requires the CISO to understand board-level concerns and priorities, and how that translates to protecting the organisation’s information assets and technical infrastructure. This business view needs to be as holistic as possible to cover the organisation’s operating processes, strategy, revenue streams, customers, suppliers, partners, premises, and so much more.
Conversely, the board must acknowledge how important cyber risk is to business outcomes and pull its weight when it comes to owning the accountability for its management. The C-suite may be more tech-savvy than ever before, but continuous technological developments and more intricate threat scenarios means its knowledge quickly becomes out of date if CISOs are not providing them with the necessary support.
Ultimately, the responsibility for security decisions is vested in the CEO, while it is the CISO’s role to influence and inform. Pitched at the right level and conciliatory in tone, this close engagement will enable information security teams to react in real time – not just to evolving threats, but also to a shifting operating environment that is dictated by external pressures outside an organisation’s control.
Security Think Tank Christmas special: 2021 in cyber
- Redseal’s Mike Lloyd reflects on how ‘anti-human’ approaches to aspects of security, particularly programming languages, are setting us up for problems.
- PA Consulting’s Cate Pye says security teams need to focus more on people, processes and systems, if they are to ward off cyber attacks in the ‘new normal’.
- The infamous SolarWinds attack may have technically happened in 2020, but it ensured that in 2021, supply chain attacks were top of everyone’s agenda, as Airbus Cyber security’s Paddy Francis reflects.
- The biggest issues faced by IT teams this year ultimately boil down to a lack of appropriate resources and documentation, argues Petra Wenham of the BCS.
- Despite nearly two years of remote working, there’s still much to be done to secure the hybrid workforce, says Jack Chapman of Egress.
- Chris Cooper of the ISACA reflects on a disastrous phishing simulation, and argues we’re not doing enough to get the security message across.