The C-suite is in for a sea change in 2018.
Given the mayhem perpetrated (and sometimes even disclosed) this year, things are going to change in 2018. Whether we're talking about the recent Uber revelation, or the world's cyber-elite meddling in elections, stealing data with impunity and infiltrating power grids--one change in particular seems like a safe bet: the rise of chief information security officer, or CISO for short.
CISOs are newcomers to executive row. In many organizations, the CISO post still doesn't exist, or if it does, s/he tends to be tech-focused, reporting to the chief security officer or the chief information officer. With their fledgling C-status, the CISO's influence over how an organization prioritizes data security--and deals with it when it inevitably becomes an issue--is too often insufficient.
Going forward, this will change. Given the beleaguered state of business networks, CISOs clearly require more power and influence to make a difference. And, in fact, this trend is already under way.
Speaking about security at big financial companies, John Dickson, principal at Denim Group, an application security consultancy, told me that CISOs have started elbowing their way into the C-suite's uppermost tier, reporting to the board of directors and/or the CEO and/or the audit committee.
The high-profile cyberattacks disclosed in 2017 assures this trend will accelerate in 2018. It truly has been a banner year for botched breach disclosures, most recently Uber . The car-ride giant admitted to paying hackers $100,000 to hush up the compromise of personal records belonging to 57 million consumers and 600,000 drivers.
Meanwhile, Equifax is still reeling from its astounding breach disclosure in early fall. They, of course, were not alone: the U.S. Security and Exchange Commission, the big four accounting firm Deloitte and the fast food chain Sonic also admitted to data losses.
And let's not forget Yahoo's confession that hackers actually managed to pilfer data for all 3 billion of its users in 2013, followed by the international Appleby law firm announcing the loss of 13.4 million legal documents known now as The Paradise Papers.
These breach disclosures affirm the wisdom of New York state implementing its trailblazing cybersecurity rules for financial services firms that took effect last March, and which were amended with the SHIELD act in November. New York mandates a prominent data security role for CISOs. Colorado followed suit and has become the latest state to give sound direction on data handling rules on certain businesses. In the wake of all the mea culpas of 2017, more states are likely to follow.
Meanwhile in Europe, the EU is preparing to roll out its revised General Data Protection Regulation in May 2018, carrying stiffer data privacy rules that generally elevate consumers' rights, and levy steep penalties against violators.
"What this means is that now the CISO has more hardcore business rationale for spending," Dickson observes. "In the good old days CISOs would say, 'We have to do this or we might get hacked.' It was an abstract threat and risk that, candidly, most execs had a hard time quantifying or even understanding.
"Now they don't have a choice, there's less discretion, so the sophisticated CISO is going to take these compliance and regulatory frameworks and use them to get as much security coverage as they possibly can," Dickson continued. "He or she can go to the chief counsel and say, 'Hey, we've got to do this, we don't have a choice; we're doing business in New York.' "
A security mindset
The specter of more regulation, combined with the steady drumbeat of high-profile breach disclosures is a godsend. That's the CISO's point of view. After all, it gives them a soapbox to stand on to enact better data security policies, practices and employee training.
It's also means more cybersecurity conferences like RSA, DEFCON, and Black Hat where the latest, greatest technological defenses can be found.
One big challenge CISOs will continue to struggle with, even as they rise up the corporate ladder, is how to spread a security mindset from top to bottom, throughout the organization, says M. Eric Johnson dean of Vanderbilt University's Owen Graduate School of Management.
The successful CISOs, he says, will be the ones who embrace these tried-and-true management principles:
- Stay positive. There's a big difference, he says, between building awareness and incessantly prophesying doom. Taking a measured approach builds credibility.
- Think critically. Understand and acknowledge everyone's efforts to achieve broader business objectives. "Considering alternative perspectives helps build trust," Johnson says.
- Do something. Waiting for a bigger budget or more authority can lead to atrophy, whereas making a series of small changes can influence the organization to take larger steps.
Winning budget approval to buy more malware detonation devices, threat intelligence dashboards and training curriculum is one thing. However, the truly successful CISOs will be the ones who "establish credibility, build trusted relationships, and persuade others to take action," Johnson says.