The CSO/CISO Roundtable

Transcription

1 The CSO/CISO Roundtable 27th October Meeting notes Organised by the Security Awareness Special Interest Group in association with ASIS International and The Security Company (International) Limited Hosted by Barclays plc Business leaders are already saying to security professionals change, or we will either impose change on you or simply ignore you.

2 Debate One The Security Executive as a Business Leader Facilitator: Peter Piazza, VP Strategic Operations, ASIS International Panellists: Axel Petri, SVP Group Security Governance, Deutsche Telekom AG Sir Christopher Coville, Senior Defence and Security Advisor, EMC Michael Couzens, VP and Chief Security Officer, Baker Hughes Craig Balding, Group Head of Cybersecurity Risk, Barclays One of the greatest challenges for both CSOs and CISOs in information and physical security is effectively aligning their activities with their businesses objectives. While security practitioners talk endlessly about the importance of integrating governance and business requirements with the security function, the reality too often speaks of a different story. The phrase security as a business enabler is chanted at every opportunity within the spheres of security aficionados, but what does this actually mean? And more importantly how do we get this mantra vocalised at board level? People s awareness (at home and at work) of the dangers from security terrorism, cybercrime, identity theft, child exploitation, organised crime - is at an all-time high. Government legislation and regulations are burgeoning, and organisations are spending increasing amounts on all aspects of security and employing security executives in record numbers. Yet despite these efforts, there is an apparent disconnect between information and corporate security programmes and the business units. So, how do we create a framework enabling senior security executives to better align their protective and preventative security regimes with their organisation s business needs and objectives? How do we help security executives to become more effective as business leaders? These questions were posed to our panel of specialists and then opened to the audience. 1. The current State of the Union: what are the problems? The organisation of the security function Despite the longstanding and widely accepted understanding that physical and information security are inter-dependent, and even though both have matured to the point where their convergence is possible, there still persists in many organisations a lack of cooperation that is hindering the manageability of the security infrastructure. A myopic focus on technology instead of business Too much of a technical focus is serving to isolate the security function from key business units within the organisation. Senior and board level business executives have an insufficient understanding of the range of physical and financial risks their businesses face, and the potential impact upon operations and profit. Less tangible security risks such as loss of reputation are even less appreciated. Security is seen as a cost For the most part organisational leaders still see the security function as a cost to the business, not a key element of and contributor to the business strategy. Lack of a comprehensive risk-based approach Security programmes and operations are too often implemented with little assessment of the specific risk areas and threats to the organisation. In many organisations, technology strategies, policies and procedures are created with little understanding of how organisational culture influences and impacts the effectiveness of these programmes. Security executives across the organisation must understand the fundamentals of the business - company strategy, the operational and regulatory environment, possible threats, risk impacts, and resilience. The CSO/CISO Roundtable 1

3 2. Moving from silos to synergy A healthy security function must be designed holistically; the convergence of physical and information security domains ultimately allows for better/more cost-effective security operations and greater protection of business assets. This is a key element in aligning security with business needs. Siloed security practices ultimately impede the detection and mitigation of cross-functional risk. We must continue to work hard to combine the physical and information security frameworks, and create a collaborative security governance structure. Siloed security practices ultimately impede the detection and mitigation of cross-functional risk It was contentiously suggested that a single leader with responsibility for the entire security function may be required just as the Chief Financial Officer has responsibility for all things financial. Fostering a single point of contact within the security function could go a long way to reducing costs, improving efficiency, and encouraging the Chief Executive and Board to recognise the importance of incorporating security into the architecture of the business. It was highlighted, however, that the most important element was fostering a collaboration between all corporate risks, regardless of where they arise or who owns responsibility for them. 3. Importance of effective communication, learning the language of business and understanding the business strategy CSOs and CISOs within organisations must create security programmes aligned with enterprise objectives and priorities. These must support the ability of C-suite executives to innovate, while at the same time recognising and containing the associated security risks. In order to engage with senior executives within the enterprise, the security leader should develop a model that defines, in simple terms, what an efficient security programme comprises of, how it functions, and importantly how it relates to the business and its key objectives. Security needs to be discussed in business lexicon, not in a way dominated by technological language and security jargon. Security managers need to understand the goals, priorities and strategy of the business in order to gain access to the key decision makers Security managers need to understand the goals, priorities and strategy of the business in order to gain access to the key decision makers. It is imperative to ask the right questions and draw together a descriptive model that leading voices in the different business functions can use. By making security an essential contributor to the bottom line, the CSO and CISO will gain greater influence and have a greater chance of being included at the most senior levels of the decision-making chain. 4. Security (especially cyber) must be approached with a business back philosophy Security leaders must make conscious efforts to ensure that their staff are familiar with the business strategy and other core business functions. They must take every opportunity to interact with every part of the business, and build relationships at every level. By doing such, the security team will demonstrate how they can fit into and contribute to the business strategy and objectives. The security discipline needs to be about protecting the growth as well as preventing the downside. Value must be added beyond security the security function must move in to predictive services in addition to the reactive services that currently make up their staple diet. The security discipline needs to be about protecting the growth as well as preventing the downside. Value must be added beyond security. The CSO/CISO Roundtable 2

4 By relating security policies directly to core business functionality, the resultant security programme will be able to demonstrate quantifiable risk reduction. Emphasising the economics of the security function and the business opportunities potentially provided by protection, offers a better chance of getting top-down sponsorship and support from the boardroom. This will then spread throughout the organisation to make it recognised as an enterprise-wide business enabler. 5. What makes a security executive a business leader? Effective security leaders must be organisational change agents, understanding how to articulate the bottomline impact of each security decision made. A security executive needs to be a business leader first and security specialist second. The language of the security executive must be one of business alignment, margins and strategy before anything else. Moral courage is key the real challenge is telling business leaders that they face real security risks, and demanding sufficient and appropriate resources. The language of the security executive must be one of business alignment, margins and strategy before anything else. 6. Should a security leader have a strong security background? Some suggested that it makes little difference whether CSOs and CISOs have a comprehensive knowledge of, and background in, the security profession. Individuals with a good business head on their shoulders, strong leadership skills, and the ability to learn quickly, delegate and prioritise can become strong security leaders. Indeed, there is growing evidence that such individuals can make better security executives than do professional security staff. However others disagreed, asserting that of course all security leaders should have these general skills but also needed a wealth of experience and specialist knowledge to manage the complex security department and its varied specialisms. Debate Two Physical and Cyber Security An Examination of Priorities Facilitator: Martin Smith, Chairman and Founder, the Security Awareness Special Interest Group Panellists: Mark Brown, Executive Director Cyber Security and Resilience, Ernst & Young LLP Alexandra Whyte, Group Security Manager, Johnson Matthey Colin Fraser, Head of Information Security, Sainsbury s Bank Robert Orr, Cyber Security Policy Manager, Nuclear Decommissioning Authority The convergence of physical and information security is increasingly succeeding at the technical level; however it is still in its infancy at the organisational level. The question was posed to the delegates: Is the strain between siloed security functions still a problem? and over 80% of the delegates seemed to agree that it was. A recent EY survey highlighted that 87% of 3000 companies surveyed did not believe that the security function within their organisation was working effectively. The CSO/CISO Roundtable: 27th October Meeting notes 3

5 1. Importance of a holistic approach There needs to be a synergetic approach between physical, information and personnel security functions. This approach must address the security profile in terms of tangible and potential combined risks, including physical, information and people, rather than individually identifiable risks within single processes. Convergence does not necessarily have to mean the physical merging of functions, but can equate to the active collaboration between functions. We need to get people with a traditional security background to have greater flexibility of mind. We must help their professional development to embrace the cyber world, and we need to change their stoically ingrained, singularly focussed perspectives. We need to get people with a traditional security background to have greater flexibility of mind. 2. Maturity information security versus physical security We are seeing that recognition of and support for physical security is still far ahead of that for information and cybersecurity. Boards and Directors understand fully the risks of physical security. Information and cyber security is still shrouded in mystery and hidden within the IT function. Greater effort must be made to align cybersecurity with business operations, and to explain more clearly in lay terms the impacts that cyber breaches can have on the business operations and reputation. A mature information security approach will have buy-in from senior executives and will be forged as part of an enterprise risk management strategy at the highest level. 3. Communication is key Make all functions of security relevant and understandable to people. Everything comes back to the holistic approach our priority is to ensure that everyone in the organisation understands the inter-dependence between physical and cyber security and the role of the Mark 1 Human Being in this matrix. 4. Will this really work? Is it an obligation for security professionals to help others from other enterprises? The supply chain is pivotal to any organisation s security does the CSO/CISO have an obligation to help here as well? But is this really going to work? Can we realistically change the old-timers, and can we sensibly merge such differing cultures and skills sets as those of the physical and IT security worlds? Will the security industry ever change? Is convergence a pipe dream? The resounding conclusion from the debate was that we must make this work. Business leaders are already saying to security professionals change, or we will either impose change on you or simply ignore you. Together with its powerful Security Awareness Special Interest Group (SASIG), The Security Company is recognised as the thought leader across Europe for the increasingly important field of cybersecurity awareness. Dean Court, Upper Dean, Huntingdon, Cambridgeshire PE28 0NL Main Office: +44(0) [email protected] 4