According to a March 2016 PwC report, ‘A False Sense of Security?’, that surveyed 300 Middle Eastern organisations, the region has become one of the prime targets for cyber-attacks. In fact, according to the findings in the report, in 2015, 56 percent of businesses in the region lost more than $500,000 as a result of cyber incidents compared to 33 percent globally. Faced with this reality, organisations across the region have upped their IT security spend. However, one of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance: “What’s the value?”
The role of the CISO (Chief Information Security Officer) continues to evolve as the understanding of cyber-risk continues to increase within the business community. The dependence on IT infrastructure, increased compliance requirements and the proliferation of sensitive data are all areas of risk. And, not a week goes by without there being some new breach, adversary or threat reported in the media. Businesses are increasingly looking to their CISOs to define, implement, measure and communicate the strategies they need to both assess and manage these risks.
Over the past few years the role of the CISO, and the skills they require have evolved. Yes, CISOs still need to be subject matter experts, understanding the technical aspects of the threats they face and solutions they deploy – but increasingly they also need to be business strategists and communicators.
The appreciation of cyber-risk as another type of business risk has become much more common in many organisations and there has been a realisation that it can’t be managed purely from within IT. As a consequence, CISOs in many organisations now regularly report to the board and have a much broader range of influence across a business. In many of the organisations that I deal with, security is being considered within projects and acquisitions from the get-go – rather than as an afterthought. This requires the risk appetites and tolerances of the organisation (around IT and customer data) to be defined, communicated and managed. Further, this requires a reframing of technical concepts into more general business language.
Investment Value
The importance of the technical side of the CISO role hasn’t diminished though, and as we can all see there is continued change in both the threat landscape and the solutions available to counter our adversaries. When selecting technologies, CISOs are increasingly looking at the value an investment could bring in terms of reducing risk, rather than looking at the number of threats blocked.
The model adopted by many organisations in the past has been to deploy the latest technologies to detect and/or disrupt the latest threats, and then engineer process (and people) around these technologies. In a world with a significant shortage of skilled security people, and where security automation is still in its infancy, this doesn’t necessarily get the best result. CISOs are looking for the ‘right’ technologies that detect and/or disrupt the threats that matter, whilst maximising the effectiveness of their people. Increasingly CISOs are looking to build their processes around their business and their people, and are then looking to investing in technologies that streamline these processes. This requires the CISO to have a more balanced view of internal versus external threats, capabilities and business requirements.
Measuring Success
Many CISOs also now face increased scrutiny. Measuring risk and the effectiveness of their teams and processes, and then communicating the results has become a key part of the CISO’s role. Defining the right metrics to measure the success or failure of a security organisation, and its strengths and weaknesses, is imperative. If we know what we are good at, and what we aren’t, then we know where we need to improve.
The CISO is now a key individual within any businesses. In today’s connected world, where our businesses are ever more dependent on the security of our services and data, it is the CISO’s role to create the bridge between technical threat and business risk, and thereby manage the continuous improvement of an organisation’s ability to deal with new and ever more advanced adversaries.
