The CSO/CISO Roundtable



Similar documents
A NEW APPROACH TO CYBER SECURITY

The economics of IT risk and reputation

Sytorus Information Security Assessment Overview

Risk Factors in Retail Buyer's Success

CIO, CISO and Practitioner Guidance IT Security Governance

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

CYBER RISK INTERNATIONAL COMPANY PROFILE

A New Security Publication About Risk and Security for Business Leaders. Sponsorship & Advertising Media Pack

Cyber security Building confidence in your digital future

The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis

Seamus Reilly Director EY Information Security Cyber Security

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

CREATING A LEAN BUSINESS SYSTEM

CYBER SECURITY Audit, Test & Compliance

Who s next after TalkTalk?

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Managing cyber risks with insurance

The Institute of Risk Management. International Diploma in Risk Management Building excellence in risk management

From the experts: Managing mobility for the enterprise

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Project Risk Management

Adapting Risk Management Principles to the Public Sector Reforms

IT service management: resetting priorities for an uncertain economy.

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Five steps to Enterprise Risk Management

Cyber Risk and Insurance What companies need to know

Cyber security Building confidence in your digital future

Chief Information Security Officer

Blending Corporate Governance with. Information Security

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

developing your potential Cyber Security Training

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

Cyber resilience and IT service management (ITSM) working together to secure the information your business relies on. Stuart Rance. AXELOS.

Address C-level Cybersecurity issues to enable and secure Digital transformation

The European Response to the rising Cyber Threat

Smart Security. Smart Compliance.

MANAGEMENT SYSTEMS CERTIFICATION FROM AUTOMOTIVE SPECIALISTS

Optimising the Business Value of IT

treasury risk management

BUSINESS FOCUSED PROJECT MANAGEMENT

The Direct Employers Association

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

ASSET MANAGEMENT. John Woodhouse. The Woodhouse Partnership Ltd

P3M3 Portfolio Management Self-Assessment

Business Improvement Solutions

How To Save Money On Production

Protecting betting integrity

The Connected CFO a company s secret silver bullet?

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Cyber Security Evolved

Master of Science in Cyber Security and Management

The internet and digital technologies play an integral part

How do you give cybersecurity the highest priority in your organization? Cyber Protection & Resilience Solutions from CGI

Cyber Security Strategy

The F Word - Why Facilities Matter

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

CYBER SECURITY TRAINING SAFE AND SECURE

Cybersecurity on a Global Scale

The IBM data governance blueprint: Leveraging best practices and proven technologies

ENTERPRISE RISK MANAGEMENT POLICY

Developing a robust cyber security governance framework 16 April 2015

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Cybersecurity Management Programs

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Business Continuity Management Policy

Abstract. Glue Reply works with Sainsbury s to achieve the Holy Grail in Business Driven IT. Scenario. The project

Cybersecurity. Considerations for the audit committee

The IBM Data Governance Council Maturity Model: Building a roadmap for effective data governance

The Future of Stakeholder Engagement

Reputation and the Board. Guidance for PR Consultants and Board Directors

Cyber Security: from threat to opportunity

Australian Safety and Quality Framework for Health Care

Chairman s Statement. Contents & Introduction. Introduction

the Defence Leadership framework

Taking Your PMO to the Next Level:

CIO, CISO and Practitioner Guidance IT Security Governance

Performance Improvement Consulting. What would you like to change? Strategic cost management

Pulling it all together: Integrated Solutions for Governance, Risk and Compliance

Key Components of a Risk-Based Security Plan

Transcription:

The CSO/CISO Roundtable 27th October 2014 - Meeting notes Organised by the Security Awareness Special Interest Group in association with ASIS International and The Security Company (International) Limited Hosted by Barclays plc Business leaders are already saying to security professionals change, or we will either impose change on you or simply ignore you.

Debate One The Security Executive as a Business Leader Facilitator: Peter Piazza, VP Strategic Operations, ASIS International Panellists: Axel Petri, SVP Group Security Governance, Deutsche Telekom AG Sir Christopher Coville, Senior Defence and Security Advisor, EMC Michael Couzens, VP and Chief Security Officer, Baker Hughes Craig Balding, Group Head of Cybersecurity Risk, Barclays One of the greatest challenges for both CSOs and CISOs in information and physical security is effectively aligning their activities with their businesses objectives. While security practitioners talk endlessly about the importance of integrating governance and business requirements with the security function, the reality too often speaks of a different story. The phrase security as a business enabler is chanted at every opportunity within the spheres of security aficionados, but what does this actually mean? And more importantly how do we get this mantra vocalised at board level? People s awareness (at home and at work) of the dangers from security terrorism, cybercrime, identity theft, child exploitation, organised crime - is at an all-time high. Government legislation and regulations are burgeoning, and organisations are spending increasing amounts on all aspects of security and employing security executives in record numbers. Yet despite these efforts, there is an apparent disconnect between information and corporate security programmes and the business units. So, how do we create a framework enabling senior security executives to better align their protective and preventative security regimes with their organisation s business needs and objectives? How do we help security executives to become more effective as business leaders? These questions were posed to our panel of specialists and then opened to the audience. 1. The current State of the Union: what are the problems? The organisation of the security function Despite the longstanding and widely accepted understanding that physical and information security are inter-dependent, and even though both have matured to the point where their convergence is possible, there still persists in many organisations a lack of cooperation that is hindering the manageability of the security infrastructure. A myopic focus on technology instead of business Too much of a technical focus is serving to isolate the security function from key business units within the organisation. Senior and board level business executives have an insufficient understanding of the range of physical and financial risks their businesses face, and the potential impact upon operations and profit. Less tangible security risks such as loss of reputation are even less appreciated. Security is seen as a cost For the most part organisational leaders still see the security function as a cost to the business, not a key element of and contributor to the business strategy. Lack of a comprehensive risk-based approach Security programmes and operations are too often implemented with little assessment of the specific risk areas and threats to the organisation. In many organisations, technology strategies, policies and procedures are created with little understanding of how organisational culture influences and impacts the effectiveness of these programmes. Security executives across the organisation must understand the fundamentals of the business - company strategy, the operational and regulatory environment, possible threats, risk impacts, and resilience. The CSO/CISO Roundtable 1

2. Moving from silos to synergy A healthy security function must be designed holistically; the convergence of physical and information security domains ultimately allows for better/more cost-effective security operations and greater protection of business assets. This is a key element in aligning security with business needs. Siloed security practices ultimately impede the detection and mitigation of cross-functional risk. We must continue to work hard to combine the physical and information security frameworks, and create a collaborative security governance structure. Siloed security practices ultimately impede the detection and mitigation of cross-functional risk It was contentiously suggested that a single leader with responsibility for the entire security function may be required just as the Chief Financial Officer has responsibility for all things financial. Fostering a single point of contact within the security function could go a long way to reducing costs, improving efficiency, and encouraging the Chief Executive and Board to recognise the importance of incorporating security into the architecture of the business. It was highlighted, however, that the most important element was fostering a collaboration between all corporate risks, regardless of where they arise or who owns responsibility for them. 3. Importance of effective communication, learning the language of business and understanding the business strategy CSOs and CISOs within organisations must create security programmes aligned with enterprise objectives and priorities. These must support the ability of C-suite executives to innovate, while at the same time recognising and containing the associated security risks. In order to engage with senior executives within the enterprise, the security leader should develop a model that defines, in simple terms, what an efficient security programme comprises of, how it functions, and importantly how it relates to the business and its key objectives. Security needs to be discussed in business lexicon, not in a way dominated by technological language and security jargon. Security managers need to understand the goals, priorities and strategy of the business in order to gain access to the key decision makers Security managers need to understand the goals, priorities and strategy of the business in order to gain access to the key decision makers. It is imperative to ask the right questions and draw together a descriptive model that leading voices in the different business functions can use. By making security an essential contributor to the bottom line, the CSO and CISO will gain greater influence and have a greater chance of being included at the most senior levels of the decision-making chain. 4. Security (especially cyber) must be approached with a business back philosophy Security leaders must make conscious efforts to ensure that their staff are familiar with the business strategy and other core business functions. They must take every opportunity to interact with every part of the business, and build relationships at every level. By doing such, the security team will demonstrate how they can fit into and contribute to the business strategy and objectives. The security discipline needs to be about protecting the growth as well as preventing the downside. Value must be added beyond security the security function must move in to predictive services in addition to the reactive services that currently make up their staple diet. The security discipline needs to be about protecting the growth as well as preventing the downside. Value must be added beyond security. The CSO/CISO Roundtable 2

By relating security policies directly to core business functionality, the resultant security programme will be able to demonstrate quantifiable risk reduction. Emphasising the economics of the security function and the business opportunities potentially provided by protection, offers a better chance of getting top-down sponsorship and support from the boardroom. This will then spread throughout the organisation to make it recognised as an enterprise-wide business enabler. 5. What makes a security executive a business leader? Effective security leaders must be organisational change agents, understanding how to articulate the bottomline impact of each security decision made. A security executive needs to be a business leader first and security specialist second. The language of the security executive must be one of business alignment, margins and strategy before anything else. Moral courage is key the real challenge is telling business leaders that they face real security risks, and demanding sufficient and appropriate resources. The language of the security executive must be one of business alignment, margins and strategy before anything else. 6. Should a security leader have a strong security background? Some suggested that it makes little difference whether CSOs and CISOs have a comprehensive knowledge of, and background in, the security profession. Individuals with a good business head on their shoulders, strong leadership skills, and the ability to learn quickly, delegate and prioritise can become strong security leaders. Indeed, there is growing evidence that such individuals can make better security executives than do professional security staff. However others disagreed, asserting that of course all security leaders should have these general skills but also needed a wealth of experience and specialist knowledge to manage the complex security department and its varied specialisms. Debate Two Physical and Cyber Security An Examination of Priorities Facilitator: Martin Smith, Chairman and Founder, the Security Awareness Special Interest Group Panellists: Mark Brown, Executive Director Cyber Security and Resilience, Ernst & Young LLP Alexandra Whyte, Group Security Manager, Johnson Matthey Colin Fraser, Head of Information Security, Sainsbury s Bank Robert Orr, Cyber Security Policy Manager, Nuclear Decommissioning Authority The convergence of physical and information security is increasingly succeeding at the technical level; however it is still in its infancy at the organisational level. The question was posed to the delegates: Is the strain between siloed security functions still a problem? and over 80% of the delegates seemed to agree that it was. A recent EY survey highlighted that 87% of 3000 companies surveyed did not believe that the security function within their organisation was working effectively. The CSO/CISO Roundtable: 27th October 2014 - Meeting notes 3

1. Importance of a holistic approach There needs to be a synergetic approach between physical, information and personnel security functions. This approach must address the security profile in terms of tangible and potential combined risks, including physical, information and people, rather than individually identifiable risks within single processes. Convergence does not necessarily have to mean the physical merging of functions, but can equate to the active collaboration between functions. We need to get people with a traditional security background to have greater flexibility of mind. We must help their professional development to embrace the cyber world, and we need to change their stoically ingrained, singularly focussed perspectives. We need to get people with a traditional security background to have greater flexibility of mind. 2. Maturity information security versus physical security We are seeing that recognition of and support for physical security is still far ahead of that for information and cybersecurity. Boards and Directors understand fully the risks of physical security. Information and cyber security is still shrouded in mystery and hidden within the IT function. Greater effort must be made to align cybersecurity with business operations, and to explain more clearly in lay terms the impacts that cyber breaches can have on the business operations and reputation. A mature information security approach will have buy-in from senior executives and will be forged as part of an enterprise risk management strategy at the highest level. 3. Communication is key Make all functions of security relevant and understandable to people. Everything comes back to the holistic approach our priority is to ensure that everyone in the organisation understands the inter-dependence between physical and cyber security and the role of the Mark 1 Human Being in this matrix. 4. Will this really work? Is it an obligation for security professionals to help others from other enterprises? The supply chain is pivotal to any organisation s security does the CSO/CISO have an obligation to help here as well? But is this really going to work? Can we realistically change the old-timers, and can we sensibly merge such differing cultures and skills sets as those of the physical and IT security worlds? Will the security industry ever change? Is convergence a pipe dream? The resounding conclusion from the debate was that we must make this work. Business leaders are already saying to security professionals change, or we will either impose change on you or simply ignore you. Together with its powerful Security Awareness Special Interest Group (SASIG), The Security Company is recognised as the thought leader across Europe for the increasingly important field of cybersecurity awareness. Dean Court, Upper Dean, Huntingdon, Cambridgeshire PE28 0NL Main Office: +44(0) 1234 708456 www.thesasig.com SASIG@thesecurityco.com 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information