View from the C-Suite

July 6, 2017

ONE RUNS MARATHONS. Another writes young adult sci-fi. Still another embraces efforts to end homelessness, and a fourth splices in college teaching while managing an eight-country digital asset portfolio. All arrived at the C-suite by divergent paths. Yet in frank conversations about the future of the job and trends for the information security field, some common themes emerged.

The CISO’s role has been transformed by the changing nature of cyber espionage in industry and the military and the headline-grabbing advanced persistent threats (APTs) by foreign nation states. Janet Levesque, chief information security officer at RSA and a board member of the Internet Security Alliance (ISA), summed up the regulatory impact: “In the past five years the regulatory environment has been catching up to be more pervasive.”

A second impact to the role is the acceleration of attacks: “There have been so many incidents in the past five years we have a little ‘breach fatigue’ … so it’s much more top of mind for people around the world. A CISO has to keep the organizational focus on protect/detect/defend goals and give solutions that deliver to these goals, despite ‘breach fatigue’ or statements like ‘it’s not if, but when [you’re breached].’”

The third shift globally is the elevation of the office of CISO. In 2016, the holding company Realogy, known for its real estate brands Sotheby’s International and Coldwell Banker, elevated the CISO role from vice president to senior vice president with the departure of the
previous CISO.

“A part of it was in order to recruit the talent they wanted,” says new Realogy SVP and CISO Nashira Layade, and “to ensure that information security is elevated across the organization.”

RSA’s Levesque summed up the transformation with, “These aren’t just IT issues; we’re seeing executive issues. The CISO historically reported to a CIO or CTO, but across industries we need to bring it up a level so we have a seat at the table with other C-level executives.”

Over the years, the broad issue that faces CISOs continues to be: How to get the board to listen. Sometimes it’s a conversation about metrics, which ones should be reported and to what detail. But before a CISO or RISO (regional information security officer who typically oversees the information security of several country offices for a global corporation) can get to this quantitative approach, there has to be a qualitative shift.

Michal Niezurawski, who has held multiple RISO roles in Europe, the Middle East and Africa for healthcare and life insurance companies, observes that a board typically “wants to reduce IT operating costs, especially [those] seen as repeatable tasks. These IT operational costs are viewed as undesirable. This approach also includes IT security. However, at the highest organizational levels, IT security costs could and should be viewed as a constant investment in the brand.”

“From my perspective, it’s easier for legal to start a conversation about what they need to protect or invest,” he continued. “The board has better understanding of such costs, especially if they are justified by legal action or PR procedures. [The] IT security [executive] often comes in with similar goals [as the legal executive] to the board, but can easily fall into the trap of sounding too technical: protect databases, networks, etc. These terms can, in some cases, be taken as intimidating by board members. Links to the business value are not immediately obvious. It is hard to justify why long-term funding is required in such situations.”

What is the magic dashboard that will give a meaningful report to the board?

A who’s who of CISOs tackled this very issue in a handbook titled Cyber-Risk Oversight produced as part of the Director’s Handbook series of the National Association of Corporate Directors (NACD) that covers the nuts and bolts of metrics and communication.

It was edited by the president and CEO of the ISA, Larry Clinton, who has addressed the issue at industry events and in U.S. Senate testimony. He summarized the challenge this way: “CISOs need to get over the fact that boards are ‘digital immigrants.’ You need to learn their language. When you learn their language, integrate and contextualize your discipline into their frame of reference, you’ll be much more able to work with them and influence—they talk about mergers and acquisitions, product innovation and strategic partnerships. We need to integrate cybersecurity at the front end of the business process and not at the back end of the IT process. I see a dialogue that starts with, ‘Oh, you’re doing an acquisition? Here are the questions you need ask.’”

Niezurawski concurred, “Translating IT risks into monetary terms that are used in the board room is difficult. I face this weekly.”

Clinton also noted, “Everyone knows about the Target attack. Few people remember that around the same time eBay was attacked because eBay managed their public relations at that time that mitigated the reputation risk.”

“As a CISO, to paraphrase the screenwriters of Forrest Gump, every day is a box of chocolates,” says Levesque. For her, the room where it happens isn’t just the boardroom or the security operations center (SOC), but also an executive team room. “One of the things we’ve built here is a management incident response triage team at RSA. The collaboration and solving as a team is one of the most worthwhile
aspects. Having this incident triage team corrals all the right people in a room—legal, operations, monitoring, IT—and together breaking down a problem.”

Whether you are already a CISO, report to one or aspire to be one, it makes sense to be aware of what keeps CISOs up at night. InfoSecurity Professional magazine turned to Marcelo Olguin, who has served as RISO for MetLife since 2004 with Chile, Mexico, Brazil, Argentina, Colombia, Ecuador, Panama and the Caribbean in his portfolio.

“It’s a nightmare the rate that the threats change,” he says. “Two areas: [one,] the increasing sophistication of attacks. They’re really smart
guys, and can even repurpose the same attacks in new ways. One example happened at multiple companies, including Amazon, where the bad guys took advantage of new legit tools for cyberattacks via IoT. We need good quality people and good intel. We aren’t a cyber intel business ourselves, so we need good partners with that focus.”

The other area he identifies is third-party risk management, particularly the cloud, where data is “not completely under our control in terms of human weaknesses.”

RSA’s Levesque breaks it down into two more components. Like Olguin, she includes the IoT and due diligence around third-party outsourcing, but also warns that “ransomware is an issue especially for healthcare, but each industry has challenges.”

The other component is “phishing and spear phishing [which is an email phish that targets specific executives], and the human component of how you train people to remain security aware while they are multitasking.”

Niezurawski homed in on an immediate threat that CISOs and other senior officers have in common: “Spearphishing attempts are instances where boards need to listen in order to break the psychological or human element in the kill chain. [Directors] and line employees still fall for the oldest tricks.”

He added that sometimes what keeps him up at night, the diversity of threat vectors, is exactly what makes the RISO role the most interesting to him in information security. He cited a penetration test where one “white hat” hacker with physical access attained global administrator level of a major multinational firm in 48 hours.

Each CISO interviewed spoke about the need to partner with groups within IT, and ones like IT audit or legal outside of it.

Niezurawski recommended, “There’s a similarity to dancing, when sometimes you’re just taking two steps to the side to find a way forward. We should no longer be the ones who only speak purely about risk in terms of IT. We need to take a lead in this dance, constantly negotiate and seek out opportunities for risk mitigation if there’s a valid business need. From a purely managerial perspective, it is possible to say ‘no,’ but if that’s too consistent a voice, it gets ignored.”
RSA’s Levesque gives a similar example. “In my organization I own compliance but not legal … [and] we’ve come up with a nice cadence [that has delivered] a runbook of provisions for compliance and information security in a legal contract.”

Building that cadence, or mutual history, can be crucial, she continues. “I would say the same for physical security. Whether a joint investigation of addressing piggybacking [when unauthorized people enter a facility by ‘piggybacking’ or passing through a turnstile or door with the aid of a well-meaning colleague who holds a door open or swipes them in] or video surveillance monitoring, collaboration
is critical. Relationship building is key to achieving what’s really a shared goal across the organization.”

Pressed for her partnership recipe, Realogy’s Layade also emphasized relationship-building, and gave these additional examples of key partners, “I’ve always had a 50-50 split between privacy and IT security. The two organizations are intrinsically linked. At another organization, physical security and information security worked closely in support of disaster recovery and the business continuity plan. The CISO and systems groups should meet often, not infrequently.”

To bring a specialized understanding of a group’s business process to its technology support or to speed implementation, the business may establish systems teams within their own organization. The more common examples include financial systems groups, HR IT or legal IT and collectively they are sometimes called “shadow IT.”

Here, by and large, the consensus among CISOs interviewed for this article was that partnership is still often the answer. “I’ll go back to that partnership conversation and add to that a knowledge of where hand-offs need to occur,” recommends RSA’s Levesque. “When a shadow IT group wants to introduce a new purpose-built tool or technology or change providers, they should be bringing IT security in
to evaluate the security risks. The CISO’s office should be building those relationships so security is brought in early and often.”

Niezurawski referred to his metaphor of organizational collaboration as a dance. “This goes back to taking two steps to the side to find that common way forward. In my opinion, CISOs should be open for any collaboration, for understanding security.”

When pressed, he cited specific concerns a CISO should have. “Policy shouldn’t be played by CISOs to become corporate policeman. Firstly, it doesn’t need to if we have the discussion as early as possible to find what meets security needs. Second, what’s really challenging for me are legacy systems—to meet the original purpose, but allow for us to mitigate the risks and update for changed processes. Third, it also invites another threat, luring, especially for shadow IT. On a technology level, we have new types of ‘things’ that are connectivity-active, hard to patch, hard to see inside with no robust supporting community. It’s a contrast to Linux or Windows, with many people who are knowledgeable. These devices don’t have [the equivalent] vendor mitigation. But from the other side, offer a lot of new functionalities that are requested to be immediately available by our business partners.”

Levesque joked that “the CISO role isn’t one someone chases” but did describe some standard “archetypes” for the careers that lead to it. “One is former military with a technical cryptography background. Then there is the technical expert who has worked in networking, patch and change management and needs to work at not getting caught in the weeds. The third path comes from the risk management, audit and compliance side. The whole space is evolving to a risk-based domain in terms of how you identify your high-value assets, then, once identified, protect the prioritized assets.”

Niezurawski came up through that third path. “IT audit is a very important partner of IT security. I came from audit; it’s not common, but I know several others who’ve followed this route. It’s valuable to have an IT auditor who knows the technology and compliance assessment side.”

STAYING SHARP, GETTING REFUELED Layade offered both introverted and extroverted advice. On the one hand, this SVP advises, “start to read business trade magazines like Harvard Business Review, The Economist, Wall Street Journal and The New York Times. On any given day, they don’t address cybersecurity specifically, but a CISO will come to understand its impact by reading the things they do address.”

On the other hand, she also recommends that CISOs and would-be information security officers seek out “marketing groups that put together CISO forums. We’re all facing similar challenges, so we might hear a different view that’s useful at these. … As a female CISO, the Executive Women’s Forum has been empowering: to spend two or three days with women … if your industry has forums for CISO…. We understand [though] our companies may be competitors, we all face the same issues and threats. It’s good to face them together.”

Olguin echoed the recommendation for reading the HBR and emphasized “good studies of successful launches and alignments” because they add to what you get from more strategic technology updates. It’s understanding microeconomics—how the company works unlocks it for IT security.”

Levesque pointed out another avenue. “I rely on people in my network, through conferences and expert blogs. It’s having practitioner-to-practitioner organizations.”

Those of us who are active in (ISC)² chapters might well agree.

| InfoSecurity Professional Magazine