Transition from Technology to Governance – A CISO Strategy for Success

by | Feb 28, 2018

The strong technical background most CISOs bring to their position is a powerful asset, yet it can limit career growth if they fail to transition their perspective from technology to governance.

When I was a software engineer who aspired to become a marketer, a mentor gave me sage advice about transitioning: “Stop trying to be the smartest technologist in the room and become the expert on what customers want.” CISOs wanting to become part of the management team face a similar challenge. While a CISO’s strong technical background is a powerful asset, it can limit career growth if he/she fails to begin focusing on governance and what that brings to the whole organization. Engaging the entire organization from the board down to appreciate the risk of cyberattacks is key, and shared responsibility for improving cyber resilience outside the IT and security functions heightens the role of the CISO in the executive suite.

Kudelski’s Andrew Howard recently described the CISO’s challenge. “Cybersecurity isn’t easy. Those tasked with leading this space are required to be technical enough to challenge highly-technical engineers, while possessing the business savvy to present complex topics in everyday terms to the board of directors. They are presented with limitless investment options with limited investment budgets, and yet, are asked to optimally minimize risk. It’s no wonder the average Chief Information Security Officer (CISO) only lasts 17 months.”

CISOs who report to CIOs are often stymied in their drive to improve cybersecurity: CIOs are rewarded for efficiency (i.e. conserving money), while CISOs require expenditures to advance cyber resilience. As executive failures at organizations like Equifax, Yahoo, and the SEC continue to make headlines, astute leaders realize that cybersecurity is a key component enterprise risk, and they elevate the role of the CISO, often separating it from the IT function and adding it to the executive management team.

“CISOs must be strategic with cybersecurity planning by concentrating more on governance than on simply properly administering specific security technologies.”

“CISOs map out their cybersecurity plan for 2018”

Mary K. Pratt in TechTarget

What is driving CISOs to change? One simple fact – the vast majority of breaches are caused by a failure of people, processes, and policies. With 80% of security budgets spent on technical solutions, most security technologies do their job well, and breaches due entirely to technology failures are uncommon. Far more frequently, breaches happen because people do what they shouldn’t or don’t do what they should. In other words, proper and total governance is lacking.  Most likely the organization does not have a cybersecurity culture at work.

What is governance?

“Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It includes the mechanisms required to balance the powers of the members (with the associated accountability), and their primary duty of enhancing the prosperity and viability of the organization.” 
The Business Dictionary

Not long ago, I heard of a company in the top 200 that lacked a written cybersecurity policy.  This is surprising given today’s business environment and the magnitude of the breaches we’ve seen. In fact, most organizations lack a cyber risk governance program. A comprehensive approach toward building cyber resilience is needed, one that ensures that Andrew Howard’s list of fundamentals aren’t overlooked and that precludes simply reacting to the latest breach headline, assessing the vulnerability, and looking for a technology to implement.

An efficient cyber risk governance program requires a high degree of organization. The first step is to adopt a rational framework around as a foundation. The Cybersecurity Framework from the National Institute of Standards and Technology (NIST CSF) is an excellent choice. Its usage is growing at a faster pace than anyone anticipated when NIST led its development a few years ago with input from 3,000 experts (see below).

Comparison between the fields of cybergovernance and financial governance

Gartner reported in early 2016 that NIST CSF had reached 30% adoption in 2015 and projected that 50% of all organizations will employ it by 2020. A year after the projection, an Executive Order mandated all federal agencies must use it. A logical next step is that agencies will require federal contractors to use it, a move that should rapidly drive adoption even higher.

Two additional steps can greatly increase the Framework’s efficiency: (1) assign accountability for controls to explicit individuals, and (2) leverage industry-specific crosswalks.

Accountability. The NIST Framework stops short of defining how to assign responsibility for each control. Without clearly stating who’s accountable for each control, progress is slow. To establish a straightforward accountability mechanism, we combined CSF with a contemporaneous framework that’s very compatible.

Crosswalks. The second way to increase the CSF-based governance program’s efficiency is to adopt crosswalks. A crosswalk is a mapping between equivalent elements within two frameworks. Industry-specific framework controls align easily with CSF controls so that information gathered about a control in CSF becomes instantly available to the other. The growing influence and adoption of NIST CSF has driven organizations to crosswalk their frameworks with it, including the HIPAA Security Rule (healthcare) and FFIEC Automation Tool (financial services). Others are available or are in the works.

In short, tools and infrastructure enabling a CISO to advance from being technology-driven to governance-driven are available. Any CISO seeking to grow in his/her career would do well to take the initiative to institute governance and lead their organization to the next level of cyber maturity.

Subscribe
Be notified of new Journal entries in your email box or Follow us on Twitter.