No longer the Secure CIO

Uncategorized
Written By

Why I’m no longer simply striving for a Secure CIO (from the author of ‘The Secure CIO’…) 

A few years back, I wrote a book called ‘The Secure CIO’ (you can buy it here!). Given that about 75% of security leaders were reporting to CIO’s at the time of writing, I focused my consulting business, my book, and subsequent podcast of the same name, on advising CIO’s on how to select and retain the right cyber security leader to reduce risk for their organisation. I aspired to make every CIO a secure CIO (meaning they had a CISO or equivalent by their side). That was then. But this is now. My thinking has evolved in that hiring and retaining the right cyber security leader is no longer enough. For the CIO, to hand the cyber reigns to an incoming CISO or Head of Information Security seems like a great idea. For most it would mean far fewer midnight sessions writing or editing cyber board papers. It could also mean practically no mopping up of audit items that are security related or fending off security vendors. Winning! Right?

While all of these remain valid pain points for a CIO to resolve by hiring a dedicated security leader, what we actually need is the Board to set the expectation that everyone is responsible for security and everyone is to act securely. Such visible commitment from the Board would in turn ensure visible commitment from the Executive. As security leaders, we keep banging on about how security isn’t an IT problem. So taking the pressure off the CIO by hiring a security leader is not sufficient to reduce risk to organisations. It simply shifts cyber responsibility to yet another leader in the tech team. I know you’re thinking that I’m about to talk about alternative reporting lines for the CISO but that doesn’t solve it either.

What we need is for the Board, the Executive and Senior Leaders to understand enough about cyber and the role they must play in making risk-based decisions to support the CIO and CISO’s strategic imperatives. Or if they plan to challenge them, they do so from an educated position. We need the Board to feel confident that security has been considered in every project, program, M&A opportunity and funding request. We need organisations to seek independent advice to support the CISO’s position on risk, threat and the effectiveness of controls. And most of all, we need all leaders in an organisation to have access to independent security advice in order to protect their critical information assets (because they have identified them) and feel confident they are playing their part in their organisation’s cyber resilience.

I’m not saying CIO’s shouldn’t hire CISO’s or equivalent security leaders. I can’t think of any circumstances where a dedicated security leader is a bad idea. What I am saying is that the focus needs to be on educating the board if they are to set the cyber expectation for the broader organisation. All Board members and Executives would benefit from being able to speak with confidence and certainty about cyber risk.

If your Board are not walking the talk when it comes to cyber security, then what do you need to do to change that?

Previous

Is your cyber security function an enabler…or an enabler?
Next

Are exits made equal?