In the second of his posts about why it is so hard to get cyber security right, Cyber Security Consultant Nils Solvang looks at some why so many organisations struggle with the softer side of this conundrum and shines a light on the organisation and culture that surrounds the CISO.
Where should a CISO sit in an organisation? The position needs influence, independence and a trackable budget. To develop the right model, it is important to consider the CISO’s strengths – whilst many come from a strong technical background, this may mean that they favour expensive and complex technology safeguards to mitigate security risk.
Technology is important, but it is vital that solutions are independently verified to ensure that they will deliver business benefits based on realistic costing – if the ongoing cost of a safeguard exceeds the estimated loss expected from a security breach, it is probably better to do nothing. Although the CISO may hold the budget, the management team needs to ensure that independent Technical and PMO resources verify the business benefits of any Cyber Security project.
On the other hand, if someone else, such as the Chief Information Officer (CIO), controls the Cyber Security budget, the temptation will be to overly favour business objectives other than cyber security, typically operational savings or quicker product development. In other words, the best position for a good, balanced CISO is as high up the organisation as possible, but with as much independence from C-grades with conflicting objectives as feasible and with verification and organisational resources that are appropriate to the CISO’s background and strengths.
So should the CISO run an independent Cyber Security organisation? There is one truism in Cyber Security: if staff do not understand the reasons behind protective measures, they will circumvent any security implementations that inconvenience them. This again comes back to the need for a CISO to be a great communicator and leader in order to educate staff as to why the initiatives are being implemented.
Consequently, setting up a large, dedicated security organisation which reports to the CISO may actually work against security consciousness pervading the organisation, as staff feel that Cyber Security is ‘not my problem’. Additionally, the CISO can easily get bogged down in people management, taking up much of his or her valuable time. A virtual or matrix model where IT and Network staff in particular are actively involved in planning and implementing security into services, infrastructure and processes can often work far more effectively.
Regardless of the organisational structure, every CISO needs access to resources to help communicate, train and upskill staff so that they develop an understanding of following good Cyber Security practises and to ensure a security-conscious culture right across the business.
Look out for the next post tackling Technology and Infrastructure issues connected with Cyber Security.