The language used in and the approach to security has changed significantly in the past two decades. We talked to Rob Newby, Founder of Procordr, to hear how the security field has evolved from an isolated IT function into a business necessity, and how this has impacted the CISO role – particularly in terms of reporting and management.
Rob has worked with big names in the reseller and vendor markets, enterprise and Government. Companies he has worked for include Symantec, Vodafone, Aviva and Capita, with time spent in both technical and consultancy roles. 25 years of professional experience in IT Security and Risk Management has given Rob a unique perspective into how effective cyber risk and maturity reporting can ease the growing demand being placed on CISOs.
How has the cyber risk industry evolved?
“The main focus used to be on securing IT. It was very low-level, usually tools-based with little thought given to process, almost independent from the rest of the business. Then the Government introduced regulations around risk management and treatment, which started the shift towards information security (infosec).
This placed a lot more importance on information rather than technology, which in turn meant more control standards and definitions around risk management. In March 2009, HMG introduced GPG13, the protective monitoring standard for information systems, which marked another broadening of scope for security professionals.
Cyber security was coined as a phrase around 2014, as a useful way for non-practitioners to understand the wider scope they were now responsible for. The key change was that security had become more business-focused, bridging the gap between high-level business risk and the lower-level risks that security analysts would deal with on a daily basis. As a result, as InfoSec had superseded IT Security so Cyber Security superseded InfoSec by including threat detection, incident response, and disaster recovery.
A lot of businesses struggle to transition from IT Security or InfoSec models, which can result in weakness to cyber attack. That’s why organisations like RiverSafe and Procordr exist, to help companies build more advanced Cyber Security strategies and support them to integrate these practices into the wider business.”
How has this shift affected the CISO role?
“With the rise of business-focused cyber security, the CISO role has also evolved from a very technical IT role to one that is more high-level and integrated with functions across the business. Threats are increasing all the time and so Cyber Security has been prioritised by many as a business-critical issue. This is even more marked because of COVID-19 and the respective rise in cyber threats.
Unfortunately, security requirements are not often well understood by the business. It is often assumed that because an IT Security department could run with one person working within IT, that a cybersecurity department can also run in the same way. This is not so.
Even with large teams below them to manage risk and address control changes, CISOs are expected to collect information from all areas of the business, understand the technical risk and translate this data into strategic business considerations for high-level reporting. At the same time, they are expected to be experts on every facet of security and get involved with incidents. Contexts switch for the CISO multiple times in a day, and it’s simply unrealistic to expect that to be sustainable.
These continual switches mean that the CISO role has become a more inefficient process than it needs to be, with cyber risk assessments taking months when they need to take days for example, and cyber teams limited to four or five staff instead of the 25/30 they really require.
Ultimately, the average CISO is hugely overstretched, and organisations need to recognise what can be done to support them – such as outsourcing to external experts or ensuring budgets for staffing and tooling are sufficient, not just tied to a percentage of the IT budget.”
What are some key challenges for CISOs?
“When I worked as a CISO myself, I often felt was that Security reporting procedures weren’t effectively communicating the right message to the people who needed to hear it. I worked directly with other Executives and Board members and soon realised that these groups didn’t understand, indeed they didn’t want to understand, our standard methods of reporting – namely technical KPIs and KRIs, as well as complex technical risks - and that’s why changes weren’t being implemented.
The quote I remember clearly was the CEO saying: “I want insight, not information”.
One problem I faced regularly was maturity assessments. Whilst incredibly useful indicators for the CISO, they take months to complete because so much data needs to be gathered from all around the organisation, they cost thousands to carry out, and ultimately end up out-of-date almost instantly.
Being closer to the decision makers was a direct result of Cyber Security’s dramatic shift into business-focused risk. Whilst information was not expected to be reported directly, it still had to be up to date and understood in enough detail in case of deeper enquiries from technical executives, whilst simplified enough to inform business decision-making.
Combining these two facets created a very complicated environment for the CISO to operate within. It’s no coincidence that mental health is a prime topic of discussion for CISOs, with stress stated as a factor for their high turnover rate – the role still has the shortest tenure of any C-level position, and in fact it is getting shorter.”
What requirements should CISOs have?
“The data CISOs require comes in a myriad of different formats and from different departments, such as IT, HR and Operations. If this wasn’t already time-consuming enough, accessing this data can often be a challenge. Additionally, often a relatively new or immature department, Cyber Security doesn’t always have the required metrics available.
CISOs need to collect this data and map it against the high-level business landscape and C-suite concerns. For example, they need to see an end-to-end evaluation of a threat that goes beyond just cost, such as whether the cost of accepting the risk outweighs the cost to remediate, if the development of a new process can fix it, whether it requires urgent action, and more.
Currently tools don’t have this capability, or it’s too low level, and gathering the raw data manually results in lengthy timelines.”
How can tools help CISOs?
“There are several tools out there that can help CISOs manage their data, but many go too low-level to be useful in the wider business context.
Procordr fixes this issue, giving CISOs management insight over security processes. We allow the CISO to delegate data collection and provide a continuous maturity assessment across your whole estate without the need for expensive one-time consultancy. The output isn’t just maturity scoring, but all the associated business impacts, such as cost, changes to personnel, tools you should implement, and where to prioritise hiring investments.
Once you know where your gaps are, Cyber Security or data management experts like RiverSafe can also provide consultancy to implement the right structures and processes throughout an organisation, so everything works more cohesively towards the same business goals.
Ultimately, the CISO role has developed massively, and most people in this role have been given exponential amounts of responsibility without the training or support to evolve alongside their role. Being able to delegate this work is the first step in easing this transition.”