Blog 3 of the CISO Experience series
This year Cisco hosted their first CISO Experience at CiscoLive Barcelona, on 29 and 30 January. The event attracted over 60 Chief Information Security Officers (CISOs) and other senior security leaders, who discussed the topics that are shaping cybersecurity in 2018. In this third and final blog of the CISO Experience series, we share some advice from companies such as Enel, ADP and Cisco on why security is a business issue and how regulations such as GDPR can help elevate it to a boardroom topic. Read our first post in the series here.
In 2017, ransomware attack WannaCry infected computers across 150 countries. According to the Moneywatch news website, the losses from this attack alone could have reached $4 billion. These losses go far beyond the costs of repairing technical infrastructures and fixing outages.
Companies affected by cyberattacks take a big hit on their reputation and their ability to look after their customers. They may lose revenue and business opportunities, not to mention incur in hefty penalties. Despite the growing evidence that security is a business issue, many companies still fail to make it a priority.
Making security a business priority was one of the topics covered in the panel discussion, moderated by Anthony Grieco, Cisco’s Trust Strategy Officer.
Panellists agreed that large-scale cyberattacks such as WannaCry and all the media coverage they get serve as a “reality check” and help executives realise the potential damage to their organisations.
Yuri Rassega, Chief Information Security Officer at Enel, an Italian energy utilities provider, adds that many of the infrastructures that we are trying to secure were not invented with security in mind. Making security a business priority helps bring departments together to achieve a more secure posture and implement security by design.
Rassega explained that Enel has a security board that is made of managers from both the IT and the business sides. This formation helps keep business leaders closely involved with security and up-to-date with any issues that may affect their business performance.
Bill O’Connell, Chief Business Security Officer at ADP, added that some of his best supporters are neither security nor even technical people. He believes this achievement is due to his honest, positive and careful representation of security issues, focusing on being factual rather than scaremongering.
In order to make security a business priority, it is also important to speak the language of business executives. Michelle Dennedy, VP and Chief Privacy Officer at Cisco, recommends that CISOs should focus on goals, deadlines, trends and statistics when presenting security to a board.
Jason Amanatullah, Senior Director of Business Development at Cisco Services, often tells CISOs to simplify the message and keep repeating it. He believes that being able to demonstrate to a board that there is a trend behind their observations and that the potential loss surpasses the cost of investment will help convince them to take security more seriously.
The role of regulations in improving security
The General Data Protection Regulation (GDPR) will take effect in May 2018 and has been a hot topic since it was announced in 2016. Rather than feeling threatened by it, the CISOs at the Cisco event see GDPR and other regulations as a positive influence in companies’ security posture.
Ressega from Enel believes that companies that are already investing in security do not have a lot to worry about, as they are probably already compliant. However, for those that have been struggling to secure funds to invest, regulations such as GDPR offer a great opportunity to get people across the organisation thinking about data privacy and security. In a way, new legislations are forcing minimum standards on companies, which will help support greater technology innovation in the future.
O’Connell from ADP highlights that data privacy and security are not only regulatory requirements, but also a customer demand. His company frequently gets questions from customers about how they are handling their data. Data privacy and security goes beyond IT; it affects different roles within organisations. Departments such as HR, Marketing, Sales, Legal and Operations all have to deal with personal data, whether it is from their internal or external audiences.
Dennedy from Cisco suggests that companies identify their critical data and focus on the best ways to segment it and protect it from attackers. Amanatullah from Cisco Services also advises companies to prepare for the worse and build incident response plans that cover not only security measures but also legal and public relations, to help minimise and control the damage caused by attacks.
Where should you start?
Richard Goodman, Head of Network and Security Services at John Lewis Partnership and one of the presenters at the Cisco event, recommended six measures to improve overall security posture and ultimately achieve better business outcomes:
- Get the board buy in: work closely with executives in your company to get their support for continuous investment in security
- Invest on security awareness: help employees, customers, partners become more aware of security and minimise the risk to your company
- Have a dedicated incident response plan: Be prepared to respond to threats faster. Have a plan that includes not only technical response to incidents but also how to deal with legal, public and customer relations that may arise.
- Use your partners: Hackers may exploit the supply chain to gain access to your network. It is important to work closely with partners and suppliers to ensure they have good security postures, which align with your own.
- Align your strategy: ensure that CISOs and Security Operations work together on aligning their strategy and priorities. Involve other key leaders of your organisation in your security planning.
- Develop your talent: there is a shortage of security talent in the market, so the best way to get a steady supply of great professionals is to develop your own talent.