Cyber security awareness in the C-Suite is growing with each major breach, and there's more talk than ever of CISOs having a seat in the boardroom, or at least an ear that listens closely to them. This higher profile also has CISOs more focused than ever on how security risks are managed, policies are followed, and cyber intelligence moves throughout their organizations.
With that backdrop, there's no time like the present to consider cyber security risk management and governance through the eyes of our Q&A series, The CISO Speaks, previous editions of which have explored issues such as cyber security innovation, staffing challenges, and application security. This month, Dan Glass, CISO at NTT Data Services, and former CISO of American Airlines, weighs in on topics ranging from how he prioritizes risks to getting more support from the boardroom.
What follows is a lightly-edited transcript from my email interview with Glass:
TK: What do you see as the top risk management issues facing CISOs, and how are those issues prioritized?
DG: Many factors go into how risks are prioritized and treated: company size, industry vertical, and regulatory requirements to name just a few. While I can’t speak directly to specific risk factors faced by any company I’ve worked with, I can say that there is a lot of overlap in threats, outcomes, and risk statements. However, how those risks are treated varies greatly. For example, I don’t think it’s any secret that availability of systems is a top priority for airlines (see the British Airways outage from May 2017). However, for an IT services company data security and privacy are top concerns. These “existential risks” can drive a company to ruin if untreated.
That isn’t to say that data security and privacy aren’t important for an airline, or that availability of systems isn’t important for an IT Services company, but their weighting is different, which drives focus and investment.
So, to answer the question, it's about trying to balance the priorities of the business (such as ensuring uptime for an airline or data security for IT services) with the need to “do it all" (ensuring data security for an airline or uptime for IT services). This is probably the top risk management issue CISOs face as they prioritize their time and expend organizational resources.
TK: How does that inform your cyber security governance efforts?
DG: I think I should take a moment to define the term “cybersecurity governance” before answering the question. In my world, there are two flavors of governance: oversight of the cybersecurity program by some sort of committee or board; and oversight of how cybersecurity controls (such as policies, standards or procedures) are being administered by the security group, IT, and the business.
With that definition out of the way, risk management priorities absolutely drive governance within the organization. Typically, the governance body will focus on the enterprise-wide prioritized cybersecurity risks. On the flip side, the cybersecurity program will focus on those same risks when measuring program compliance.
TK: How do you build and expand upon the cyber security awareness and effectiveness of your board?
DG: A few tips when talking to the board and senior leadership about cybersecurity risk:
Stick to facts. No hyperbole, no FUD.
Don’t be technical. Speak their language (hint: it’s business).
Focus on how your funding proposal will lower the strategic enterprise cybersecurity risks.
Don’t ask for more than you need, and if you get it, deliver. One of the quickest ways to erode trust with senior leaders and board members is to ask for a lot of money and then not deliver on your promises.
TK: How closely do you work with business leaders, and to what extent are they looped in on cybersecurity decisions?
DG: In my current role as Corporate CISO I work much more closely with internal groups, such as IT, Finance, Legal, HR, and others. The person that interacts with the “vertical” business groups (the ones that interact with our customers) is our “Delivery CISO.” Our relationship is extremely close as my program serves as the test bed and center of excellence. In prior roles, I worked extremely closely with business leaders. They are key stakeholders in any cybersecurity governance program. They help determine risk levels, can point out bad assumptions in the cybersecurity risk priorities, and can sponsor security initiatives to lower specific risks.
TK: What do you see as the advantages or disadvantages of having a CISO report directly to the CEO instead of to the CIO or CFO?
DG: There is no right answer here. As with everything else in this space there are many factors that go into where the CISO reports. Factors such as industry vertical, company size, regulatory scrutiny, board oversight, company politics, and the leadership maturity of the CISO all can be factors in this decision. I do think there are synergies that can be achieved by having the CISO report into IT or technical operations, but inherent conflicts of interest can appear if not actively managed. As for reporting anywhere else, I would say a CISO reporting to a CEO could work in certain circumstances.
(Editor's note: Glass opted not to share whom he reports to at NTT Data Services, but he said he's accountable for the security of all corporate networks, systems and data.)
TK: What tips or words of advice would you offer other CISOs looking to ramp up the effectiveness of their risk management and governance efforts?
DG: Choose and use a framework to build your program around. I’m a big NIST Cyber Security Framework fan. A framework gives you a checklist of things to go do and programs to build and run.
Once you have a framework, you’ll want to measure your maturity against each of the functions, categories, and sub-categories. I used the Capability Maturity Model to determine how mature our program was, breaking the analysis into people, process, and technology measurements.
Once you have a grasp of your program maturity you can start to overlay those results to your spending priorities to see if you’re focusing in the right area. Each program will weigh where their maturity goals are so you may actually find that you’re very mature in areas that aren’t as important and have low maturity in areas that are critical.
As for governance, poll your executive stakeholders with questions that reveal if your governance program is effective in communicating risks and changing priorities based on feedback. Also ask if information security is seen as a trusted partner, is addressing risks effectively, or is seen as the “department of no."
Another good way of measuring governance efforts is with an information security team assessment that gauges how well the organization is adhering to security policies, standards, and other policies. The resulting data can reveal whether certain policies are tough to comply with and if you have groups that aren’t “getting with the program.”