Member News | 19.12.2018
James Colhoun (Head of Board Practice, Carlyle) met with Robert Hayes (Non-Executive Director and Strategic Advisor, former Head of UK National Technical Assistance Centre, UK Government and former Microsoft Executive Cybersecurity Advisor for EMEA) to discuss the evolution of the cybersecurity agenda, the changing role of the CISO and how boards need to adapt their cyber strategy in order to adequately address the current and future threat landscape.
How can the cybersecurity agenda be positively positioned to a board?
Over the last five years I have seen a notable change in the way effective CISOs are engaging with their board on cybersecurity issues. In the early days of cyber being on the board agenda, the messaging from cyber professionals tended to be binary; either the organisation was doomed without large scale investment (and probably still doomed even then!) or everything was okay and there was no need to worry. In my role as Microsoft’s Executive Cybersecurity Advisor for EMEA, I saw both approaches used; neither satisfied members of the board, who found an easy response was simply not to engage with the issue and delegate it back down to the CIO as a “technology problem”.
I am now seeing a new generation of CISOs who are positioning effective cybersecurity as a business enabler, or accelerator, and making ROI a primary focus in their proposals to boards. This approach is not only showing a far greater success rate, but is also raising the profile of the CISO within organisations – changing the role from one of passive implementation to strategic leadership.
Cyber professionals should be asking themselves: “What is the competitive advantage that can be gained from our security position?”. They should be able to articulate the positive benefits to their business of developing a secure infrastructure that is designed around integrity and trust. Such benefits might include: more freedom to innovate; enhanced strategies for new product development; and the ability to adopt revenue enhancing technology with greater speed.
What qualities make a good CISO?
Traditional IT functions were often seen as blockers by other functions within a business. The traditional answer from security and IT professionals to any question can be characterised by control on top of control. The fact that this rarely tied into an organisation’s risk appetite added to the frustration felt elsewhere in the business. Today, leading and progressive security professionals are now asking: “If you want your business to transform, what level of security and risk can you tolerate?”.
A good CISO will intuitively understand this boundary and be able to position it to the board and senior stakeholders. Cyber is a frame around which commercial dialogues are painted, and this dynamic clearly informs the new skill sets required in a CISO.
The skills sought in a CISO have to be assessed within the context of each specific organisation and should have cognisance of the skills profile of other members of a senior leadership team. The gap that I see is actually more around a board’s ability to assess the boundary between risk tolerance and security, and consequentially to assess the type of CISO they think that they want. Few boards are comfortable with the questions they need to be asking; this has been highlighted by the SEC in the USA, and regulators in the UK are now entering the conversation. I remain surprised at the lack of cyber professionals being hired as non-executive directors, and the lack of cyber sub-boards being established.
There is also a clear gap in the historical education and training that many current security professionals had access to. Many IT professionals have had no management training and really struggle to make an impact within a senior team. Universities have also not been thinking about how to combine business and technical skills training – but there are some positive moves being made. Lancaster University, for example, has a MSc course in cybersecurity that marries IT, law, sociology and politics, which aims to better prepare graduates to perform effectively as part of a management team.
How do you solve the short-term skills gap?
In my police career I frequently acted as a Gold Commander in overall command of major incidents and investigations. Each Gold Commander would assemble a team of specialist advisors who would sit “on their shoulder” when required. These individuals would advise on components of the incident management, response and recovery, such as communications plans, stakeholder engagement, technical or tactical matters, and would also act as a conduit to third party agencies. It was clear that these advisors were not part of the command chain, but that their advice was qualified, with accountability for decisions remaining with the Commander.
I see real parallels to situations where boards need to consider cyber matters. Having someone who can guide the board on the right questions to ask both their own team and external parties (and who can also help check responses before they are committed into action) is something I hear many boards ask for. In an ideal situation this would be provided by non-executive directors, but the reality is that there are simply too few non-executive directors with the right profile of skills and experience to achieve this.
What is your experience of the interaction between cyber and risk?
I always ask clients where cyber features on their Enterprise Risk Register. If it features on the Register it will get the board’s attention, and action tends to follow. Sadly, it rarely features, and where it does Enterprise Risk Registers (from a security perspective) are often quite one dimensional, with a specific focus on loss of corporate data. Today’s threat landscape is characterised by attacks that are not necessarily targeting data: sometimes the intent is to simply to disrupt. This risk is even rarer to find on a register.
What effect does cyber resilience have on valuation?
I have conducted a fair amount of due diligence for clients either pre-purchase or as part of M&A. My observation is that funders and purchasers do very limited (or no) cyber resilience due diligence, despite the huge inherent risk to a business from breaches and attacks. This really surprises me, as a purchaser could be moving into a massively compromised situation. My strong view is that far more due diligence should be done so businesses understand what they are really buying into.
How is the financial services sector responding to cybersecurity?
The larger banks have had to step up to the plate on cyber resilience. Regulation dictated that they were early to the game. Most large financial services institutions would admit they spent unwisely around security in the first instance. They threw money at a myriad of point solutions, but couldn’t correlate results due to an excess of data. The intersections between multiple security programmes has also been proved to be a clear vulnerability. More recently, many banks have moved to simplify their security ecosystem to a much smaller pool of vendors operating to common standards. In the near future I see vendors having to offer solutions across the “Protect, Detect and Respond” domains rather than the point specific solutions which many offer today.
What defines success in a cyber strategy?
Success is not about prevention per se. There is an economic and often political imperative for attackers; they are determined, resourceful, capable, and they will not be going away. Even the best defended organisations will be vulnerable to a determined attacker, particularly as many attacks are vectored through unwitting staff or third parties. A more realistic aspiration is to detect an attacker entering a network in near real time, remove them promptly, and recover back to business as usual in hours, not days. As the current norms are around 200 days from entry to discovery, 30 days to remove, and 60 days to recover, it is not difficult to see how reducing these times is a better measure of success.
Boards should not only ensure that their organisation has a robust strategy regarding how to respond to an incident, but should take an active role in exercising that strategy. There is clear evidence that businesses who exercise regularly using realistic threat driven scenarios respond and recover far more quickly than those that don’t. Unfortunately, I see many organisations that have a plan, but have never properly tested it, panic and get it wrong in the aftermath of a breach and under the spotlight of press and public scrutiny. I would argue that the organisations who are remembered for falling victim to a cyber-attack are remembered because they got the human, not the technical, elements of the response wrong, leaving customers, regulators, investors and shareholders in the dark or misinformed. There are plenty of “how to” guides issued by governments and academia on handling an incident, but most businesses do not invest enough time or resource into planning how to respond on a human level.
Again, there is clear evidence that having someone either on the board or supporting the board through the different phases of responding to a cyber-attack makes a demonstrable difference.
The market has seen an exponential rise in the number of CISO and senior cyber / information security hires over the last 18 months. The candidate pool of CISOs who combine both technical and business acumen with the ability to concisely articulate a message to the board is however limited, and in constant demand, which has resulted in inflated salaries and shorter tenures. Given the rising demand for talent, a substantial number of businesses have appointed internally, taking a calculated risk on individuals who may have the core technical skills required to undertake the role, but who are unproven at board level.
The interim market is particularly active. Businesses are increasingly choosing to appoint an interim specialist who can deliver tangible impact at speed. Such interim hires often occur whilst boards are working towards defining the skills and experience required for a permanent CISO role, and can be instrumental in enabling businesses to keep pace in a rapidly evolving environment.
In addition to new appointments, organisations are now also having to consider more carefully how to retain their CISOs (and other cyber security professionals), as career advancement outside of this specialism is often unclear. Boards are also beginning to open a dialogue about hiring non-executives with specific cyber credentials, but few have taken the leap, although there is a rise in the creation of technical or cyber sub-boards.
Scotland's trade body for the digital technologies industryJoin Us
Driving engagement across different sectors enabling Scotland, the industry and your business to grow.
Securing the talent of the future for the digital technologies industry is a priority for ScotlandIS.
ScotlandIS has influence and connections within the industry in Scotland, the Scottish Government and the public sector. The positive work we do has implications for every business in the sector.
Market intelligence, insight and connections to develop business opportunities and skills within your business.