Today’s organizations are composed of a mesh of third parties and individuals, plus thousands of IoT devices, all with varying degrees of access to data and systems. Remote working has added to this fragmentation, with a dispersed workforce operating from geographically dispersed home offices; a very different environment to the comfortable security of the corporate office block.
If a malicious attacker in one part of the world can shut down a factory or a port thousands of kilometers away, or bring down a global bank’s customer website, then cyber security must adapt to these threats. Abid Adam, Group Chief Risk and Compliance Officer, Axiata, emphasizes that “It’s about more than your own organization; the fabric of nations, of society at large, can be threatened and undermined if a large telco goes down for a couple of hours. We need to embed security by design and achieve broader resilience.”
As the pandemic demonstrated, resilience is a big topic — and CISOs and their teams should be involved in response planning and business continuity, to help ensure organizations can react and recover to cyber incidents, as part of a holistic, cohesive strategy.
All of which extends the CISO’s responsibilities to digital and operational resilience. Data has become the new oil, arguably more valuable than physical assets, as Maersk CISO Andy Powell comments: “We need to become a digital business — a digital business that moves boxes, rather than vice versa. The bigger markets come from customer-facing digital platforms.” But an ever-greater reliance on data puts additional pressure on CISOs to protect this precious resource.
Meanwhile, privacy regulation is growing into a complex web of transnational obligations, with regulations such as the General Data Protection Regulation (GDPR) in Europe setting requirements for how individuals’ personal information is handled well beyond that geography. Information leaks can impact a company’s reputation, lead to fines and other sanctions, requiring the CISO to work in partnership with the Chief Data Officer (CDO) and Chief Privacy Officer (CPO) to manage the risk of non-compliance.
It’s a similar story with resilience. The proposed European Digital Operational Resilience Act (DORA) will oblige financial services companies to demonstrate their ability to maintain resilient operations in the face of severe operational disruption.
Cyber security teams should focus on data and resilience issues. Embed the principles of privacy and culture of security, and they will be well placed to meet compliance obligations, now and in the future.
Developing new skills and networks
Addressing the challenge
As the scope of their role broadens, CISOs must consider how they work with other data and resilience executives, and how they adapt to their new responsibilities — formally or informally.
Embedding digital resilience
There is a confluence of the roles of CISO, Chief Risk Officer (CRO) and the Chief Security Officer. As cyber security matures, expect increasing technical security controls embedded into the CIO’s processes, with many CISOs taking on a more strategic role that fits less comfortably with their traditional reporting line to the CIO. Some of the CISOs KPMG professionals spoke to have taken on the emerging role of Chief Resilience Officer; this is a new corporate position that takes a holistic view of the organization’s resilience to all forms of stress or disruption, malicious or accidental.
Resilience is about engaging in conversation about the business impact of an outage, and how we plan for these events. This becomes an interesting conversation, because redundancy costs money, so how much are you willing to invest and is this worth it to prevent downtime?
This resilience role brings together diverse disciplines such as business continuity, disaster recovery, information and physical security, alongside incident and crisis management.
Others regard this as a step too far, seeing the role as diluting the necessary focus on cyber security, with a combined role of CISO and Chief Resilience Officer being too demanding for a single individual. Emma Smith, Global Cyber Security Director, Vodafone, concurs with this approach, saying “The risk areas covered in security, privacy and resilience are broad. Leading the strategy and managing the operational aspects of all these functions can require different approaches and sometimes these areas may conflict. We believe there are business benefits from keeping the functions organizationally separate, strategically aligned and with true collaboration.”
There are two points when you can try to solve a problem — before or after it occurs — and my job is to solve it before! Alongside this, we regularly look at worst-case scenarios and make an assessment of what the impact would be on our organization. We seek to always be prepared for extreme risks. Our approach is to assume that these events will happen and to ensure that SWIFT is as resilient as possible.
As every business becomes a data business, the debate continues over the limits of personal data exploitation and privacy. Companies want to make the most of data, which means being free to mine and share information with third parties. But they also have to preserve data integrity and meet regulatory standards. In companies like Maersk, the CISO enjoys a close relationship with the Chief Data Officer (CDO), where the latter sets data standards and the CISO builds tools to help assure data, with the Chief Privacy Officer (CPO) or Data Protection Officer (DPO) helping assure regulatory compliance.
Combatting fraud and financial crime
CISOs can bring unique insights into the mind of the cybercriminal and the tactics they employ, as well as their own contacts and relationships with national cyber security, threat intelligence and law enforcement bodies. These skills and insights are vital to the fight against fraud, working closely with fraud prevention teams (another key partnership) to counter cyber-enabled crime.
Broad-minded and collaborative
With more on their plates, many CISOs are becoming collaborators, building symbiotic relationships with the CDO, CRO, CTO, CIO and others. But to make these relationships effective — and to take conversations out of silos — there should be defined responsibilities and a clear governance structure to avoid duplication, along with a willingness of all parties to recognize each other’s strengths and unique contribution to business success.
A broader role also calls for a broader mindset, to try to appreciate the full business impact of cyber incidents. CISOs are moving beyond protect and detect, to understand how to get the business back up and running quickly after a crisis — as well as helping the CEO preserve trust with customers, suppliers and regulators.
Whether they take on the role of Chief Resilience Officer, or work more closely with this person, they should adopt a pragmatic, business-minded approach while retaining their own integrity and professionalism. Many organizations possess huge amounts of new and legacy data; managing this requires extensive collaboration between the CISO, CDO, CTO and Chief Data Privacy Officer (CDPO), both to use data to drive growth, and to keep it secure and private.
This is especially the case for global companies in an increasingly fragmented regulatory landscape, with different jurisdictions applying strict rules on usage of data emanating within their borders or derived from their citizens. CISOs have a key part to play in helping to automate regulatory compliance, tailoring controls to different national requirements, and streamlining reporting. Of course, we can also expect to see a growth in the use of supervisory technology (suptech) by regulators too.
Industries are being disrupted and CISOs must have a view of the changing ecosystem, or else face obsolescence. Telecoms, for instance, used to be about getting a phone connection; now there’s more concern over digital fraud from online banking apps. Cyber security professionals should adapt to these and other new challenges — like data and resilience — to take a high level view of risks across the business.