Carlyle Board Series: The Vital Role of the CISO
Carlyle’s concluding Board and Risk dinner of 2018 was held in London this month on the topic “The Vital Role of the CISO”. The dinner was hosted in collaboration with Addleshaw Goddard and introduced by Philip Owen MBE, CISO at Tesco Bank and former CISO at IHS Markit. Guests included leaders from risk, compliance, IT and finance, as well as CISOs, CTOs, Chairs and NXDs from listed organisations.
There were two key themes that emerged throughout the evening: education and communication. The strong sentiment in the room was that despite the increasing prominence of cybersecurity on the board agenda, there is still a prevalent disconnect when it comes to boards’ depth of understanding and ability to articulate the importance of cybersecurity within their organisations. As one guest stated, “cyber is still seen as a dark art and something to panic over in many businesses”.
One of the key roles of the CISO must therefore be to “bring cybersecurity to life” for the board by linking it to business-critical issues: “when you relate cybersecurity to issues such as down time, lost revenue, reputational damage or customer losses, it will get a board’s attention”. Utilising non-business “real life” examples (such as IoT enabled appliances or virtual assistants such as Alexa) was also discussed as a potential tactic to make cybersecurity and its associated risks more tangible for board members. As a more direct approach, one guest described how his board hired a “Red Team” to test their security protocols. The team quickly and easily placed a contractor into the business who was able to gain access to internal passwords and break through what were previously considered robust security procedures. The immediacy and speed of this role play had a direct effect on the board’s understanding of the potential threat.
Awareness and education regarding internal threat also emerged as a topic of interest throughout the evening, and there was collective recognition that it is often employee actions and behaviour that represents the biggest risk to a business. Guests discussed the lean towards security teams engaging with psychologists to better understand what motivates people to behave in certain ways, and how then to best to mitigate this threat. Of note from an emerging talent perspective was the fact that eminent higher education institutions are now starting to offer courses which blend technical, business and psychology themes – all of which are crucial in developing both effective cyber talent and wider security functions.
The importance of clear, concise and informed communication was evident in the discussion, as guests debated the handling of recent high profile cyber events with regards to press and public response. The consensus was that far too often such communications, especially in crisis situations, were mishandled, resulting in significant financial and reputational damage. In this regard, the CISO’s role in educating both the board and senior executives is critical in formulating a swift and appropriate response to such situations. There was strong support in the group for a dual approach: with CISOs educating the board in how to respond on a technical level, and communications agencies advising on how to engage on a “more human” level.
Sophisticated communication and stakeholder management skills sit at the heart of the CISO role. However, many CISOs who come from a technical background lack the ability to influence at board level, and there is currently a shortage of individuals who possess both the technical pedigree and business acumen to effectively educate and drive the cyber agenda. It is becoming imperative for boards and CISOs to learn a new language, and because of rapidly increasing demand for cyber professionals and associated security expertise, organisations are having to break existing paradigms in order to secure talent at the requisite level. During the dinner, individuals with a military or intelligence background were highlighted as possessing skill-sets, experience and networks that were particularly valuable in a CISO role; however, it was also evident there was no clear route for such individuals to transition into a commercial position. In a business environment that is primarily characterised by constant change, there is a real opportunity for organisations to think creatively when it comes to the attraction, training and retention of cyber professionals. Such initiatives will be vital components of building security functions that act as enablers, not as blockers, of innovation and growth.
As part of our ongoing event series, Carlyle host regular Board and Risk events for senior executives, non-executives and advisors in both Edinburgh and London. Previous dinner topics have included “Larry Fink’s Letter to CEOs – Businesses and Social Purpose”, “The Trust Economy and Technology”, “Financial Crime and Law Enforcement” and “Boards and Digital Disruption”. To learn more about upcoming events for 2019, please contact James Colhoun, firstname.lastname@example.org.