Guest Column: ‘Don’t Think You Need A CISO? Think Again’

by David Garrett, President, CISO Advisory and Investigations LLC


David Garrett

On July 5, F.B.I. director James B. Comey announced the much anticipated results of the F.B.I.’s investigation into the handling of classified information by former Secretary of State Hilary Clinton.  Secretary Clinton’s use of private email servers, the F.B.I.’s investigation and its recommendation not to prosecute are certain to garner much public debate, and deservedly so.  But buried in Mr. Comey’s speech was a statement that likely won’t receive much press attention, yet every corporate leader should stand up and take note.

In describing Secretary Clinton’s practices that made her email vulnerable to cyber attack, Mr. Comey stated:

None of these e-mails should have been on any kind of unclassified system, but their presence is especially concerning because all of these e-mails were housed on unclassified personal servers not even supported by full-time security staff, like those found at Departments and Agencies of the U.S. Government—or even with a commercial service like Gmail. (emphasis added)

Mr. Comey’s statement underscores what should be obvious.  Organizations that have a dedicated information security team — preferably one led by a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) — are in a more defensible security position.  Of course, companies cannot eliminate cyber risks simply by hiring a CISO, but they will reduce cyber risks considerably if they do so.  Having an individual or team dedicated to cybersecurity – whether internal or external – is now an essential risk mitigation step for any organization serious about managing cybersecurity.  

The Evolving Importance of Information Security 

Historically, the role of information security within larger business enterprises was often small enough to be handled entirely by a Chief Information Officer (CIO).  But by viewing information security as a mere subset of their responsibilities, CIOs not only failed to devote their full attention to it, they also failed to allocate the quantity and quality of information security personnel.

In today’s perilous business environment, information security has become too vital and too specialized to be performed on a part time basis. Why? In part because the information technology delivering business has become so complex.  Mobile, Cloud Computing, Big Data, Internet of Things; these business and IT trends have made communication faster and created incredible efficiencies.  But behind those new technologies often lies hundreds if not thousands of network devices and software applications.  IT has also become intertwined into the fabric of nearly every business function.  It’s hard to imagine a business process today that is not automated.  Communications, HR, Finance, Customer Support — all of these services are delivered today through IT.  Simply keeping these systems up and running has become a massive undertaking.

Businesses today also warehouse terabytes of data, while use of data analytics to mine data patterns has become commonplace.  The Internet of Things has connected thousands of devices that were not traditionally connected to the internet.  Gartner forecasts that over 6 billion “connected things” will be in use globally by the end of 2016, and will reach 20.8 billion by 2020[i].  Research firm IDC is even more bullish. It predicts that the number of connected devices will reach 30 billion by 2020[ii].  Apart from there being simply more devices spinning off more data, many businesses today are storing large amounts of customer data for no immediate purposes; simply in the off chance that they discover a way to monetize it in the future.  

Growing Cyber Risks

With the increased volumes of data comes increased risks.  The number, frequency, and impact of cyber attacks grows exponentially year over year.  The numbers are mind boggling.  Symantec reported that over 429 million records were stolen in 2015, a 23% increase over 2014[iii].  There were a record setting nine “mega-breaches” last year (a breach of over 10 million records) and large companies are not the only targets.  A 2016 global survey conducted by PWC, CIO Magazine and CSO Magazine found that the number of attacks reported by midsize companies (revenues of $100 million to $1 billion) jumped 64% since 2014[iv].  CFO Magazine reported that – between February 2014 and February 2016 – one in five small and midsize businesses were victims of cyber attacks. Lastly, a 2014 analysis by the Center for Strategic and International Studies and sponsored by McAfee, part of Intel Security, put the global cost of cybercrime at up to $575 billion annually, or 0.8 percent of global GDP[v].

Businesses today must also operate within an imbroglio of new privacy and cybersecurity statutes, rules and regulations and sector specific requirements.  SEC OCIE, HIPAA, PCI DSS to name just a few.  Complying with these requirements has become a full time job.  Indeed, failure to comply can result in regulatory audits and large fines.  Both Federal and state regulators are ramping up cybersecurity enforcement. The U.S. Department of Health and Human Services recently fined Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 for data security failures[vi].  In June 2016, the S.E.C. fined Morgan Stanley $1 million for its cybersecurity failings[vii]. And in December 2015, the F.T.C. announced a $100 million settlement with LifeLock to resolve contempt charges stemming from a 2010 settlement involving its cybersecurity practices[viii] 

Surprisingly Few CISOs

Notwithstanding the compelling reasons to do so, a startling number of organizations do not have senior managers dedicated to information security.  According to PWC’s The Global State of Information Security Survey 2016, only 54% of businesses have a CISO in charge of their information security programs[ix].  The number of organizations with low level managers devoted to information security is undoubtedly higher, but the fact that only half of all businesses have a CISO is troubling.

Why are there so few CISOs? Part of the answer is under investment. Companies’ investment in cybersecurity personnel and technologies has not kept pace with increased cyber risks, though recent studies suggest this trend is shifting.  Respondents to PWC’s The Global State of Information Security Survey 2016, for instance, reported they had boosted their information security budgets by 24% in 2015.

There are also relatively few CISOs because of human capital shortages.  Today’s information security job market is insanely competitive.  Small and medium size businesses struggle to match the compensation offered by large enterprises.  The lack of “supply” is also driven by the evolving job responsibilities of the CISO.  Today’s CISOs must not only be a technical security expert; they must also be:

  • Effective risk managers with a deep understanding of the business, who can develop and drive an information security strategy and program;
  • Successful leaders who can instill a culture of security throughout the enterprise; and
  • Great communicators who can seamlessly move from an internal IT meeting about firewall configurations to a presentation to the Board of Directors.

This multi-disciplinarian skill set makes experienced CISOs a rare breed.

The lack of CISOs also appears to be the result of resistance from other C-Level executives.  A Threat Track Survey from 2014 reported “while enterprises are increasingly turning to CISOs to head their cybersecurity operations, about three quarters of respondents (74%) overwhelmingly said they do not believe that CISOs deserve a seat at the table and should be part of an organization’s leadership team.”[x] This attitude is short sighted and dangerous.

The ultimate responsibility for overseeing and managing cybersecurity risks falls on its corporate leaders, a daunting task given the sophisticated and complex nature of cyber threats and the typical lack of information security training or experience of the Board of Directors and the C-Suite.  To exercise effective oversight, the Board and senior management team need to hear directly from the CISO.  The stakes are too high for the cyber risks to be filtered through other corporate leaders such as the CIO.  

Not So Obvious Way That A CISO Can Reduce Cyber Risks

There is tremendous value in having an individual or team focused exclusively on cyber security.  Organizations with a CISO are more likely to have the governance, operational, and technical controls that are necessary to reduce cyber risks.

But there is a less obvious – yet equally compelling – reason to have a CISO.  Regardless of your company’s size, industry, or maturity, there is a high likelihood that it will suffer a significant cyber incident over the next five years.  The law of averages says so, and corporate leaders should plan accordingly.  Moreover, the aftermath of a cyber-attack will be rife with privacy litigation, regulatory inquiries, shareholder outrage and confusion and a broad range of unanticipated consequences.  Above all else, during the fallout, corporate leader will be called upon to convince an array of skeptical constituencies (shareholders, partners, customers, regulators, insurance carriers; employees and other interested parties) of the reasonableness of their failed cybersecurity.

Organizations will need to identify specific examples that demonstrate a reasonable commitment to cybersecurity. Having a CISO in place sends a powerful message about an organization’s commitment to data security and privacy.  And, as with Secretary Clinton, it sends an even more powerful message if you don’t.

David Garrett is President of CISO Advisory and Investigations LLC which is a cybersecurity consulting firm. The firm is comprised of former FBI agents and data privacy and security experts who have spent over 30 years investigating cybersecurity incidents. The firm leverages its extensive investigative experience to help clients build defensible cybersecurity strategies. The firm’s mission is to empower corporate leaders with the data they need to make informed cyber risk decisions.