How is the role of the CISO evolving, and what do physical enterprise security executives need to know about it?
A recent Ponemon Institute report noted that the C-Suite now, more than ever, understands that just one serious security incident or data breach could derail the growth and profitability of their companies because of impact to brand and the cost to remediate, fines and legal fees and customer loss. As a result, the role of the Chief Information Security Officer (CISO) is growing in importance, as is the need to have an enterprise-wide IT security strategy that supports the company’s mission and goals.
Why does all of that matter to physical enterprise security?
Two reasons, says John McClurg, Sr. VP and CISO at BlackBerry. McClurg is an enterprise security executive, who advanced a CSO role at Dell, as well as at Honeywell International and Lucent/Bell Laboratories.
First, an elevated focus on the growing interdependencies between the physical and cybersecurity worlds leads to the consideration of a converged organizational structure, under an CSO who has both cyber and physical security responsibilities.
“I first saw convergence with my role at Lucent,” McClurg says, “The older view of separating physical and logical security is changing in enterprises, to where it is now quite common to find corporations where the corporate security and IT security worlds are fused together. Both roles don’t get appreciation every day, but they certainly get the blame when it goes wrong.”
Bringing two such distinct disciplines together is not easy. The personality types of corporate and cybersecurity directors can be very different, simply by the roles they’re hired to fill. However, says McClurg, “You need to coordinate and work hand and glove together so neither side is surprised, in order to execute solutions. That requires the cooperation with the IT side that owns the company network.”
Another reason, says McClurg, is that increasingly, both physical and IT Security programs have the same reporting structure, whether it’s to the CEO or the CFO.
“I have reported to many CFOs in my career, and there is something appealing about reporting to the guy who holds the dollars,” McClurg says. “A challenge with reporting to the CEO can arise out of the management principle of span of control, wherein a CEO may not be able to handle a large number of direct reports. That can introduce the risk of serving them all less well.”
One challenge with a converged organization, says McClurg, is that many SMBs don’t have a CISO position. “This is where we might consider a virtual CISO, an individual who may be part-time, who may work remotely, like a timeshare in the real estate world. They may bring their expertise, for a short or long period of time, to make critical decisions, or maybe just fine-tune some things for a while. That’s another way in which the role of the CISO is evolving.”
In addition, says McClurg, CISOs are being named to Boards of Directors of organizations other than their own. “That’s an indication of a Board’s appreciation of the criticality ascribed to the role,” he notes. “Our expertise and insights are needed and our skills are being appreciated. Boards now want the added assurance that their understanding of their situation, over which they have a fiduciary responsibility, is free and clear of any biases that might tilt their perception of how the security in their corporation is working.”
A Seat at the Table
Both the CSO and CISO should have a seat on their company’s Board, adds George Finney, Chief Security Office for Southern Methodist University. “CEOs now get fired because they didn’t understand cybersecurity, right? That’s a real opportunity for both roles to be there.”
“From my perspective, being in cybersecurity for a long time, you just can’t have cybersecurity evolve without physical security doing the same,” he adds. “If you don’t get physical security right, you can’t guarantee the cybersecurity of your organization. And the opposite is also true. The two go hand-in-hand. That’s how you prevent crime. That’s how you ensure the safety of your community.”
Finney shares the story of a bank that had to replace all security cameras at all of their branch locations because hackers had taken over the cameras. But the hackers were so embedded in the physical security system that the bank ended up replacing its entire security system. “That’s a monumental failure, and it’s why the two roles have to work hand in hand,” he says.
When the two roles don’t work together, Finney says, it’s often because cybersecurity professionals like to “play our cards close to the vest. We don’t like to share, because it’s embarrassing to admit a breach. But to be secure, we all need to share information.”
As an industry, as well, Finney suggests that security vendors who lead with fear should not be doing so. “One vendor tried to pitch us on using their facial recognition technology by telling us that a Florida school shooting would not have happened if the school had used their company’s technology. That’s a horrible sales technique. Stop selling security by using fear and, instead, build relationships.”
Michael S. Oberlaender, a CISO and CSO, author and subject matter expert who has worked in global executive level security roles and in IT both in the U.S. and EU for more than 25 years, says he has seen the progression of the CISO role, including some of the incorrect ways it has been set up in many organizations. He says, “It’s not easy because what I have observed is an uphill battle, where often, the CISO role is under the CIO or CTO realm, which makes the road ineffective and inefficient. Technology is about full and easy functionality while security means literally least privileges. And most organizations either don’t care or don’t really understand the issue.”
He adds, “We all know that security is not a technology problem. It is a business problem. And it needs to be decided on from a business perspective. How much money do we want to spend? What changes do we want to make? Do we change the processes, or the culture? Do we put security first or functionality first? Unfortunately, many companies are short-cutting it and then wonder later down the road why the data breach took place.”
Oberlaender advocates that the CISO should report to the CEO and have a seat on the Board of Directors. “The CEO is the best person to report to because that person has a lot of visibility and execution power.” But why isn’t that happening in all companies?
“Often, CEOs don’t understand security, don’t have the time, or don’t want to spend the necessary time to ask the right questions. They think they can delegate it and then it goes away. But it doesn’t go away,” says Oberlaender. “You can’t outsource accountability or responsibility. Slowly, but steadily, it is improving, where the CISO reports to the CEO. But it is not the majority. It’s much more advanced in other countries. For example, in Israel, law dictates that the CISO reports to the CEO. Israel is one of the most secure countries, as most security vendors either come from Israel or have a large subsidiary in Israel.”
He adds that most CEOs have the resources, time and knowledge in the space to be educated about security. “It is, in my view, sheer denial of the facts.”
Debby Briggs, CSO for NETSCOUT, adds that a CISO’s reporting structure is critical. “The CSO and the CISO, don’t own the risk, but our job is to educate and inform everybody within the company, including the C-Suite and the Board of Directors on the risks and what we can do to mitigate them. So the risk appetite is really set by the Board and all the C-Suite team members. I report into my CIO, and he’s great, but there are times when my agenda and the agenda of my team is different than my CIO’s agenda. If I was designing an organization from scratch, I think the CISO or the CSO should report into the CEO. I think you will see that evolve as more Boards are taking a more active role in cybersecurity and physical security.”
According to Oberlaender, another way in which the CISO role is progressing is where he/she will have an independent budget. “Getting a budget independent from the IT spend or the technology spend gives more power and execution ability, in addition to better oversight, more independence and more governance. That independent budget will allow for investments in the necessary people, tools and technologies and process changes. It’s like buying a car. If you have money in your pocket, you can purchase a car. If you find the car that you want or if there is currently a shortage on cars, that’s a different story. But at least you have the financial ability to do so.”
Similar to Finney and McClurg, Oberlaender stresses the importance of having a converged enterprise, where the CISO and CSO roles work together. “Convergence has been discussed for years, but it isn’t always happening,” he says. “And it doesn’t make sense not to do so, as essentially, the same thought processes, same methods and same functions are there. They just translate into different ways of achieving a goal. There is access control in the physical space and the IT space, for example. There are still a lot of companies that still don’t have it combined in the right fashion.”