Security & Boards: What should Boards expect of their CISO?
Carlyle’s latest Financial Services Breakfast Club Briefing was held in partnership with industry-leading threat detection specialist, ZoneFox. Our panel of experts (Jamie Graves, CEO ZoneFox, David Scott, CISO Standard Life Aberdeen and Marian Glen, Independent NXD) led a thought provoking discussion around the topic “Security & Boards: What should Boards expect of their CISO?”. Attendees included a range of senior executives and non-executives from Investment, Wealth and Asset Management, as well as representatives from wider Financial Services.
Who is the CISO?
The briefing began with a discussion around the role of the CISO, defined by one panellist as: “The role of the CISO is to protect the organisation and enable it to trade securely; a remit which includes the care of customers, clients, colleagues and shareholders.” The general opinion of the room was that the CISO is an Executive level position. As such, it has a clear strategic remit to ensure an organisation is both well informed and well prepared with regards to current and potential threats, managing the alignment (and enablement) of business functions in order to develop appropriate and proportionate response strategies.
It was also felt that a CISO is responsible for driving a proactive strategy towards security across all functions within a business. In order for this to succeed, the top-down promotion of an organisational culture which supports such an approach was seen as crucial. In addition, the group felt that the CISO agenda had to be clearly linked to key business objectives in order to gain traction across an organisation.
When discussing reporting structures, there was debate amongst guests, with the most common reporting line for the CISO being into the COO, though reporting lines to the CEO were not unheard of. In all structures however, guests agreed that the CISO role should have a clear degree of independence in order for it to function effectively as the bridge between technical operations / functions and the Board.
In regards to the career background of CISOs, there was a strong consensus that the role was a business leadership role first and foremost, which should be supported by prior experience in a relevant technical discipline. Although technical pedigree was therefore considered important, what was more heavily emphasised was the ability to operate effectively at Board level as a strategic business leader.
Communication is Key
The ability to communicate successfully with stakeholders at all levels, utilising the right language for each particular audience, was highlighted as a key attribute of a proficient CISO.
On one hand, at Board level, the CISO must have the ability to translate what are often complex technical matters into actionable insights that can be utilised in decision making, on the other, they also need the technical expertise to communicate with domain experts across the business and wider industry.
CISOs should be seen as an enabler, not a blocker, of innovation within an organisation. As one panellist commented, “The role of the CISO in this regard is to enable innovation to occur as seamlessly as possible.” The group agreed that the CISO being involved from the start of a project or particular piece of innovation to help shape direction was a benefit, mitigating the potential of either halting a project at an advanced stage or having to accept significant business risk.
Also discussed was the importance of clear lines of accountability across the business, with individuals adequately informed (and given specialist training, where appropriate) of their specific responsibilities within the security agenda. This was seen as crucial in determining an organisation’s ability to formulate an appropriate response strategy in the event of a breach, particularly with regards to communicating with the public and media.
Engaging with the Board
The group raised the point that Board members also have a responsibility to work out what they need to know and educate themselves to an appropriate level. As one panellist pointed out, “Boards are not averse to being educated on these topics, in fact, most are very open in this regard.”
A key point of discussion centred on the use of verbal and action based communication, such as the use of live response scenarios, as opposed to relying on purely written reports. It was felt that such methods of communication build greater trust and develop a deeper understanding of issues at both Board and wider business levels. Where written reporting is appropriate, the focus should be on delivering information in a consistent, concise format that avoids the temptation to ‘talk tech’, which is still the default in many businesses.
There was also a positive sentiment in regards to encouraging greater diversity of thought at Board level, especially from experts either within the business or in an external NXD or advisory role. Whilst it was felt that eventually these skill sets would mature and become an intrinsic part of Boards, there was recognition that more currently needs to be done to ‘bring the required expertise to the table’.
Across the Financial Services landscape, the rapid pace of change is the only constant, and cyber risk is now regularly listed as one of the top three threats facing businesses across all sectors. As a result, there is an increasing demand for sophisticated technology and skilled individuals at all levels to address this growing concern – a trend that is only set to accelerate. As well as ensuring there is adequate technological and personnel resource in place, the focus of businesses must also be on education and training. Security is no longer solely the concern of one function, but should be a fundamental part of the culture of an organisation and the way in which it conducts business.
As one panellist remarked in the closing discussion, “This doesn’t go away: this is now business as usual.”
Carlyle is an advisory Search and senior Interim practice whose work covers executive and non-executive mandates across the UK. Carlyle has worked extensively within Retail Banks, Challenger Banks, Life & Pensions and Investment / Wealth Management on a broad range of senior permanent and interim mandates, including CFO, Chair, Audit, Risk, CMO, Product and Digital & Technology. For more information regarding the Breakfast Club, please contact Rachel Bell, Head of Marketing, firstname.lastname@example.org.
ZoneFox locks down the Insider Threat by giving organisations the tools to rapidly and efficiently detect and respond to behaviours that are exposing sensitive data to loss, theft and mishandling. Smarter, faster, more advanced security decisions are enabled, reputation and the bottom line are protected. For more information on ZoneFox, please contact Lynsey Jenkins, Marketing Director, email@example.com.