Cybersecurity Dinner 2015, New York
The combination of data ubiquity, decentralized control and sophisticated new underworld actors presents organizations with a perfect storm to be confronted by their information security leadership. Recently, the Egon Zehnder Cybersecurity Practice brought together ten executives on the front lines of these challenges — chief information officers, chief legal officers and leaders of global security consulting firms — to discuss their experiences. Their comments centered on the following four issues:
The maturation of the increasingly tough-to- fill CISO position
There is a well-established trajectory for certain functional leadership roles, from behind-the- scenes manager to high-profile specialist to boardroom advisor. The chief information officer and the general counsel both transversed that trajectory over the past decade, and the CISO is now doing so as well. Today’s ideal CISO needs to be a strategic thinker who can go from leading a meeting of IT gurus to presenting to the board, and be highly effective in both settings. While this is good news for those who have pressed for an elevation of the role, it raises the bar in terms of the role’s required competencies, further exacerbating an already acute talent shortage.
A shift from threat prevention to threat management
The profile of attackers has evolved from rogue hackers to sophisticated crime rings exploiting the vulnerabilities of e-commerce and nation- states stockpiling information on other nations’ citizens. In this new environment, organizations now rightly assume that they are under constant attack — and that often, those breaches will be successful. The goal then becomes developing and implementing strategies and response protocols that anticipate threats and minimize the damage — a far more complex task that merely acting as a defensive goalkeeper.
The expansion of the threat surface
As more and more of the interactions of contemporary life take place through digital devices and communications, there becomes greater opportunity for an organization’s own members to pose inadvertent security threats by responding to suspicious emails, sharing inappropriate information online, leaving devices unprotected and other actions that increase vulnerability. (And the problem extends up the business chain to include employees of vendors and partners.) The solution isn’t merely education, but altering behavior — a tall order because the behaviors that need to be adopted generally involve making the use of technology more cumbersome.
While great strides have been made in adapting to this broader attack surface, organizations often still find themselves catching up in terms of information security leadership capabilities. The urgency to do so is heightened because that attack surface will continue to expand though developments like the Internet of things and electronic medical records, which further intermingle government, corporate and personal data networks, each with different sensitivities and usability requirements.
Structural evolution reflecting the priorities of a changing world
The maturation of the CISO role has ignited a re-examination of who that person should report to — a question that is often without an obvious answer. But there is also another structural dynamic at work: Many anticipate that in the same way that the strategic importance of information security function caused it to stand on its own, the growing emphasis on privacy will lead to more chief privacy officers, charged with looking at customer privacy across the organization and managing the increasingly complex web of compliance issues in the absence of global standards.
Access the full paper Cybersecurity Dinner 2015, New York.