The evolving role of the CISO in line with executive management expectations – Roundtable

Participants:

Jan De Blauwe, COO & Managing Director NVISO
Fabrice Clément, Director of Security Governance & Investigations Proximus
Marc Vael, Platform CISO Packaging & Color Management at Danaher Corporation
Claudio Bolla, Group Information Security Director INEOS
Moderator: Georges Attaya, Solvay Brussels School of Economics and Management

The bottom line for CISOs or other top people responsible for cyber security is to have communication lines with top executive management and the company’s board level. It is important to regularly communicate with the latter (e.g., at least once or twice a year).

The message of the CISO must be in tune with the background and expertise of their executive and board audience. Even if the people at board level do not necessarily have a technology background, they quite often are tasked with specific fields of interest, possibly technology/security related subjects. Of great help is for CISOs to have an executive sponsor, helping to establish a link with the board. Your communication with top executives and board members must fit their top of mind concerns, and for yourself, you must determine what you want to get out of meeting. Do understand that it’s the duty of the board to make strategic decisions in order to strengthen operations, and reduce risks to the company by enabling appropriate measures. They must see the benefits of investing in cyber security.

How to inform?
A CISO can include in his communication elements as updates on threats, new aspects of the cyber security landscape, constraints (e.g., new regulations) and updated security plans. Make every communication into a kind of ‘training’ for executives and board members, by making them understand the cyber security landscape. Keep their attention going by ‘storytelling’: make it real, e.g., by referring to incidents published in the press. Use clear language (e.g., no acronyms). A final element concerns the budget. Don’t go into details about spending items, but ask for an envelope, to implement security objectives.

It certainly helps if the company’s sector already has a security and/or safety tradition (e.g., banking, telecom, chemical…). Increasingly, it is necessary and possible to establish a link between operational security (e.g., production systems) and information security (e.g., billing systems), stressing the need for a comprehensive/holistic approach. The use of metrics may help, but facts often are more useful. Make clear what are the risks to the business (important in risk sensitive/risk averse industries). What would be the impact on business in case of an incident? It is important that board members can make company/business decisions based on your info. Ultimately, a relationship of trust must be created, and the purpose of communication should be to instill a cyber security culture throughout the company, top to bottom.

Be accessible!
Above all, as a CISO, be available at anytime to top management and board, in case of questions (or problems)! Any question is a good omen, as it proves interest. And do expect the question: “Are we secure?” Answer this question in function of the business interests, and draw a roadmap for a more secure business operation (particularly in view of new or acute threats, e.g., ransomware). Actually, what they really mean is “What is sufficient expenditure to be secure?” Or better, nowadays: “How much must we spend to bring value to the company?” Also, questions may be raised about security throughout a value chain (e.g., security posture of suppliers…). And yes, do expect questions about cyber security difficulties the board members themselves experience!