[This article was first published in The International Banker]
The role of Chief Information Security Officer always had some ungrateful aspects attached to it. The board generally understands little about cyber security and provides limited support to you. You can’t answer with certainty questions such as “Can you guarantee that an Equifax, Capital One or Desjardins type of event will never happen to us?” because an organization can never be 100% secure. You are the one responsible for protecting the organization daily, and yet you are the first person to get axed when a major incident happens.
However, there are generally positive aspects to the position that outweigh the downsides. CISOs have a sense of purpose, learn new skills continuously, and the job is exciting.
But holding the CISO position in a bank is becoming less and less attractive. In effect, CISOs are losing the levers to do their job, their role & responsibilities being increasingly diluted across the organization. Also, CISOs spend an increasing amount of time being held accountable and justifying themselves rather than actually doing their job of securing the organization. They are being squeezed.
Fours factors explain that.
1/ Cyber security regulations
As more cyber regulations such as the NYDFS Part 500 in the state of New York USA or the Cybersecurity Act 2018 in Singapore are being promulgated, a substantial part of the CISO’s job shifts towards compliance. Cyber regulations are great to secure budgets, and generally help improve the security posture of the organization. However, it may be perceived as a distraction, because it remains a primarily compliance driven process: you can “technically” be compliant and still have major security risks unaddressed. Also, Legal & Compliance want to have a say in everything that you do.
2/ Creation of new functional roles
Due to the pressure from imaginative external auditors and regulators in recent years, institutions have been creating transverse roles such as Chief Data Officer, Chief Privacy Officer and Head of IT Risk Management, whose missions look clear in theory and in isolation, but bring confusion and dilute some of the responsibilities of the CISO in practice. For instance, the NIST is developing a privacy framework that clearly shows a functional overlap between the cyber security and privacy domains:
(credit: NIST)
It is the same with IT Risk Management. Too often, the IT RM lead will not work under the CISO, creating unnecessary overlaps and frictions within the organization along IT-heavy security processes such as vulnerability management, critical asset management and incident management.
3/ Multiplication of audits, reviews & exams
The same pressure mentioned before is also leading to the inflation in size and responsibilities of the second and third lines of defense functions with regards to cyber security activities. It is now common for Internal Audit teams to have dedicated resources focusing on cyber security, often previous IT auditors trained in cyber security. This is the same with the second line of defense. Those teams must get themselves busy to justify their job, so more frameworks are being created and more audits and targeted reviews are being performed that increase the stock of cyber security findings. Again, those findings generally make sense and aim at improving the security posture of the bank. However, the CISO must focus significant resources, with an inflated sense of urgency, on closing those internal recommendations as well as the MRA/MRIAs from regulators, while other priority topics may remain unaddressed. This process can become frustrating as the CISO almost spends more time being held accountable than actually doing his/her job; and has to work in a reactive mode instead of a proactive mode, constantly chasing the train of security priorities instead of driving it.
4/ Competing imperatives
Finally, almost all the Investment Banks are cutting costs. CISOs must contribute to those cuts while at the same time strengthening the security controls and improving the cyber resilience of the organization. It’s possible when the organization has already reached a certain level of maturity. Else it’s like trying to square the circle and only adds to the frustration of the CISO.
How to address those growing frustrations
In the face of those organizational challenges, the CISO needs to be re-empowered. It should be made clear to everybody that the CISO has the final say in *everything* about information security.
Data security controls in general, and data loss prevention controls in particular (whether it includes personally identifiable information or not) should remain a core cyber security responsibility. Same with Technology Risk Management, a key component of the overall Cyber Security Risk Management.
The CISO should set the security priorities for the organization. Those priorities can be challenged by other teams including 2LOD and 3LOD, but ultimately it should be CISO’s responsibility to prioritize the security initiatives and drive the agenda.
The engagement model between all the security actors should be formalized both in principles, and also in detail for processes such as Security Incident Management, Data Security, Vulnerability management, and Security along the software development lifecycle (SDLC).
As for the budget cuts, the CISO should present explicit trade-offs to the lines of business: “with this amount of budget you will maintain your security risks to that level of residual risks corresponding to that amount of potential losses”. It’s complex to build the financial model of cyber security and to achieve a granular view by line of business of the coverage and efficiency of the security controls along the cyber kill chain, but these are necessary steps to drive strategic conversations at executive level.