The chief information security officer is the head of all information security operations within a company. He or she is tasked with determining the overall direction of the infosec resources under his/her domain, how the resources will be apportioned within the various disciplines, managing all the people in his/her department, and interacting with all other departments in the organisation.
Often the face of an organisation’s infosec operations, the CISO is expected to interact with outside actors, including regulators, policymakers, and law enforcement agencies.
As organisations become more digitally native, the CISO's role needs to evolve from tactical to strategic, from being a pure technologist to one that of a business enabler first.
Proofpoint revealed that adopting hybrid working policies and cloud tools has made organisations more vulnerable to cyber threats, with 44% of chief information security officers(CISOs) in Singapore reportedly seeing more targeted attacks in 2022 since enabling widespread remote working.
According to its latest 2022 Voice of the CISO report, CISOs in Singapore see cloud account compromise (e.g. Microsoft 365, Google Workspaces) as the second most significant threat targeting their organisation. Even with a reported improvement in cyber preparedness, employee security awareness, and frequency of cyber training, 64% of CISOs in Singapore have a higher risk perception of an imminent attack.
Who’s the boss?
While CISOs have often traditionally reported to the CIO or CTO, Yvette Lejins, resident CISO for APJ, Proofpoint, opined that these days CISOs are positioned as peers with the CIO and are working much more closely with the C-Suite to contribute to the overall data protection for the business.
“When a CISO does not have that peer relationship with the C-suite they lose the influence they need to undertake their role successfully. To be most effective in an organisation it needs to be a highly collaborative relationship with the CIO – the roles are not mutually exclusive,” she continued.
The Proofpoint study noted that while 51% of CISOs surveyed globally concede that they saw eye-to-eye with their board leaders, including CIOs, such is not the case in Singapore where only 16% of CISOs feel that they have this perceived alignment.
Who’s job is it?
Lejins acknowledges that the CIO’s role is mainly to plan the business’ information technology (IT) initiatives, developing a long-term strategy on how to integrate IT into its growth and operations.
“On the other hand, CISOs are business and technology specialists who are responsible for enhancing the business’ cyber security posture, focusing on data protection and security,” she added.
Asked how the roles can prevent conflicts, if not resolved when they come inevitable, Lejins commented that CIOs use technology as a tool to enable things such as employee productivity and business growth, while CISOs are charged with how technology, process and people should be governed and used correctly to mitigate security or data loss.
“This is why, to be effective in their responsibilities, CIOs and CISOs need to foster a close working relationship and focus on their key priorities and take action accordingly,” she continued.
The CISO influences beyond security
According to Lejins, CIOs are developing new skills to deal with the increasing business risks face, whether it be financial or project-related, but they may not necessarily be well-versed in dealing with cyber risks.
She added that to meet the demands of the market, CIOs often need a supporting system that understands not just cyber security infrastructure on a technical level, but also the business challenges and how to navigate them.
This is where the CISO comes in, who is the person best positioned to manage and enhance preparedness in dealing with a cyber security risk.
"In a world of increasingly sophisticated cyber threats and attacks, security strategy must be more tightly integrated with business strategy, especially as data breaches are extremely costly and impact the overall business, so IT security should always be aligned and integrated with other business functions," she opined.
Proofpoint research found that the top three areas for IT priorities include providing information protection (39%), cyber security awareness (38%) and consolidating security solutions and controls (36%). This could differ from country to country, so CISOs should always consider building threat management programs which are holistic enough to cover business concerns.
The CISO’s boss
The answer is “it depends”. Lejins says traditionally, CISOs have reported to CIO. However, it has evolved rapidly alongside technology as business needs have weighed in technology's favour, with security being viewed as a necessary addition.
"To be an effective CISO, it is important to be a peer to the C-suites to properly advise, counsel, and execute strategies to manage risk. It’s quite a challenging space because CISOs need to be tightly integrated with what the business does and find that common ground with their C-level executives."Yvette Lejins
Reporting security issues to the board
According to Lejins, CISOs need to tell the risk management story that is relevant to their business. It is important to clearly explain the human and business impact should a breach occur, rather than use scary stories of data breaches.
She posited that it’s important to articulate these concerns with the right metrics, focus efforts in the right areas, and ensure that a proper risk-based assessment is carried out. When considering cyber risk, Singaporean CISOs believe listed significant downtime, disruption to operations and loss of current customers as top board concerns.
Build a good CIO-CISO relationship
"CIOs and CISOs need to understand each other’s boundaries and areas of expertise while having a common goal to protect their Very Attacked People (VAPs). People remain the biggest risk factor for businesses as most cyber attacks require human intervention and interaction," she added.
Proofpoint’s 2022 Voice of the CISO report revealed that 44% of CISOs in Singapore saw an increase in cyberattacks in the past year attributed to hybrid working.
"Both CIOs and CISOs need to have that same understanding of whom they are protecting, to have a good relationship with each other and be effective in their respective roles," concluded Lejins.
Click on the PodChat player and listen to Lejins describe some of the challenges faced by CISOs as they look to implement security strategies that
- Proofpoint has just released its 2022 Voice of the CISO report.
- What is the purpose of the report?
- The 2022 Voice of the CISO report is the second such report. What's different from the first report published in 2021?
- What would you say are the top 3 lessons/insights you can draw from it?
- Every major security vendor publishes security reports. A common theme of these reports is ever-increasing cyber threats. Specific to the current environment that we are in – the uncertainties that hang over us because of the pandemic, does remote work make organisations more vulnerable to attacks? Why?
- Since the start of the pandemic, we've noted an increase in the use of VPNs purportedly to mitigate against the risks of attackers using remote workers to attack the enterprise. How has this worked so far?
- Beyond increasing employee security awareness and preparedness enough, what more can be done to improve cybersecurity posture?
- Give three tips for the CISO to become more effective as (a) business partner; (b) champion of security for the organisation?
- What can CISOs in Singapore learn from other CISOs elsewhere?