By Sébastien Meunier, Director, North America, Chappuis Halder & Co.
The role of chief information security officer (CISO) has always had some thankless aspects attached to it. The board generally understands little about cybersecurity and provides limited support to you. You can’t answer with certainty questions such as “Can you guarantee that an Equifax or a Capital One type of event will never happen to us?” because an organization can never be 100-percent secure. You are the one responsible for protecting the organization daily, and yet you are the first person to get axed when a major incident happens.
However, there are generally positive aspects of the position that outweigh the downsides. CISOs have a sense of purpose and learn new skills continuously—and the job is exciting.
But holding the CISO position in a bank is becoming less and less attractive. In effect, CISOs are losing the levers to do their jobs as their roles and responsibilities are being increasingly diluted across the organization. Also, CISOs spend an increasing amount of time being held accountable and justifying themselves rather than actually doing their job of securing the organization. They are being squeezed.
Four factors explain this:
- Cybersecurity regulations
As more cybersecurity regulations, such as the NYDFS Part 500 in the state of New York or the Cybersecurity Act 2018 in Singapore, are being promulgated, a substantial part of the CISO’s job is shifting towards compliance. Cyber-regulation is great to secure budgets and generally help improve the security postures of organizations. However, it may be perceived as a distraction, because it remains a primarily compliance-driven process: you can “technically” be compliant and still have major unaddressed security risks. Also, the legal and compliance departments want to have a say in everything that the CISO does.
- Creation of new functional roles
Due to the pressures from imaginative external auditors and regulators in recent years, institutions have been creating transverse roles such as chief data officer, chief privacy officer and head of IT risk management, the missions of which look clear in theory and in isolation but bring confusion and dilute some of the responsibilities of the CISO in practice. For instance, the NIST (National Institute of Standards and Technology) is developing a privacy framework that clearly shows a functional overlap between cybersecurity and privacy domains:
It is the same with IT (information technology) risk management (RM). Too often, the IT RM lead will not work under the CISO, creating unnecessary overlaps and frictions within the organization along IT-heavy security processes such as vulnerability management, critical-asset management and incident management.
- Multiplication of audits, reviews and exams
The same pressure mentioned before is also leading to the inflation in size and responsibility of the second and third lines of defense (2LOD and 3LOD) functions with regards to cybersecurity activities. It is now common for internal audit teams to have dedicated human resources focused on cybersecurity—often previous IT auditors trained in cybersecurity. This is the same with the second line of defense. Those teams must stay busy to justify their jobs, so more frameworks are created, and more audits and targeted reviews are performed that increase the stock of cybersecurity findings. Again, those findings generally make sense and aim at improving the security posture of the bank. However, the CISO must focus significant resources, with an inflated sense of urgency, on closing those internal recommendations as well as the MRA/MRIAs (matters requiring attention/matters requiring immediate attention) from regulators, while other priority topics may remain unaddressed. This process can become frustrating as the CISO spends more time being held accountable than actually doing his/her job and has to work in a reactive instead of proactive mode, constantly chasing the train of security priorities instead of driving it.
- Competing imperatives
Finally, almost all investment banks are cutting costs. CISOs must contribute to those cuts while at the same time strengthening the security controls and improving the cyber-resilience of the organization. It’s possible to achieve this when the organization has already reached a certain level of maturity, but otherwise, it’s like trying to square the circle and only adds to the frustrations of the CISO.
How to address those growing frustrations
In the face of those organizational challenges, the CISO needs to be re-empowered. It should be made clear to everybody that the CISO has the final say in everything about information security.
Data-security controls in general and data-loss-prevention controls in particular (whether they include personally identifiable information or not) should remain core cybersecurity responsibilities—as should technology risk management, a key component of the overall cybersecurity risk management.
The CISO should set the security priorities for the organization. Those priorities can be challenged by other teams, including second and third lines of defense, but ultimately, it should be the CISO’s responsibility to prioritize the security initiatives and drive the agenda.
The engagement model between all the security actors should be formalized both in principle and detail for processes such as security incident management, data security, vulnerability management and security along the software development life cycle (SDLC).
As for budget cuts, the CISO should present explicit trade-offs to the lines of business: “With this amount of budget, you will maintain your security risks to that level of residual risks corresponding to that amount of potential losses”. It’s complex to build the financial model of cybersecurity while achieving a granular view, by line of business, of the coverage and efficiency of the security controls along the cyber kill chain, but these are necessary steps to drive strategic conversations at the executive level.