The Miss­ing Chief Se­cu­rity Of­fi­cer - CSO

Zambian Business Times - - TECHNOLOGY - Andy Bochman is se­nior grid strategist for Idaho Na­tional Lab’s Na­tional and Home­land Se­cu­rity direc­torate. Prior to join­ing INL, he founded a strate­gic en­ergy sec­tor se­cu­rity con­sult­ing firm, was an ad­vi­sor on en­ergy se­cu­rity mat­ters at the Chertoff Grou

CEOs have long treated se­cu­rity as a low-level busi­ness con­cern.

In the fall of 2012, the Depart­ment of Home­land Se­cu­rity sum­moned 80 top U.S. util­ity CEOs to a meet­ing at Peter­son Air Force Base in Colorado Springs, Colorado. The depart­ment gave each of them a se­cret-level clear­ance for the day and briefed them on emerg­ing cy­ber­se­cu­rity threats. When it was over, a Home­land Se­cu­rity of­fi­cial at the time said he over­heard one CEO say, “They’ve got my at­ten­tion but to be hon­est, I don’t even know the name of our se­cu­rity guy … Seems I bet­ter get to know him and fast!”

Five years later, how­ever, most large cor­po­ra­tions—in­clud­ing those in the For­tune 1000—are still func­tion­ing as if cy­ber­se­cu­rity is more of a nui­sance than a strate­gic risk. Even as mas­sive data breaches con­tinue hit­ting the big­gest cor­po­ra­tions in Amer­ica, many CEOs still down­play the fact that crim­i­nal hack­ers are get­ting more so­phis­ti­cated and that cy­ber­at­tacks pose an ex­is­ten­tial threat to their com­pa­nies—not just cost­ing them many mil­lions of dol­lars but po­ten­tially their brands’ rep­u­ta­tions and their own jobs.

This is true across the busi­ness world, but it’s es­pe­cially the case among en­ergy com­pa­nies and other or­ga­ni­za­tions that op­er­ate crit­i­cal in­fra­struc­ture, such as wa­ter treat­ment fa­cil­i­ties and chem­i­cal plants. I know this first-hand as a se­nior cy­ber and en­ergy se­cu­rity strategist for the Idaho Na­tional Lab, one of the na­tion’s fore­most re­search cen­tres fo­cused on en­ergy and na­tional se­cu­rity. While a cy­ber­at­tack on a bank could re­sult in a sig­nif­i­cant loss of money and sen­si­tive data, an at­tack on a power gen­er­a­tion fa­cil­ity, hos­pi­tal, or trans­porta­tion fa­cil­ity could cost lives.

One com­mon-sense so­lu­tion for en­sur­ing se­cu­rity gets the at­ten­tion it now re­quires is for or­ga­ni­za­tions to ap­point and em­power a true chief se­cu­rity of­fi­cer (CSO), at the VP level or higher, with purview over IT and op­er­a­tional tech­nol­ogy (OT) as­sets, in­clud­ing cy­ber and phys­i­cal se­cu­rity sys­tems and net­works. At a time when cor­po­rate de­pen­dency on dig­i­tal tech­nolo­gies is now nearly com­plete, stick­ing with a busi­ness-as-usual struc­ture is out­dated and un­wise. It’s no longer good enough to have a so-called chief in­for­ma­tion se­cu­rity of­fi­cer (CISO) buried in the or­ga­ni­za­tional hi­er­ar­chy un­der the chief in­for­ma­tion of­fi­cer (CIO).

“The nec­es­sary po­si­tion for the times is a chief se­cu­rity of­fi­cer—a CSO, not a CISO,” says Chris Peters, the CSO for En­tergy Corp., an elec­tric util­ity com­pany based in Hous­ton. “Given the un­prece­dented level of at­tacks with ma­te­rial im­pacts to com­pa­nies and CEOs’ ca­reers, I can’t un­der­stand why any or­ga­ni­za­tion would stick with a sta­tus quo gov­er­nance model.”

To­day, no one needs reg­u­lar and com­pletely can­did com­mu­ni­ca­tions on cy­ber risks more than the CEO. For­rester Re­search re­cently pub­lished a re­port based on a sur­vey of For­tune 500 com­pa­nies and found that just 4 per­cent of ex­ec­u­tives re­spon­si­ble for se­cu­rity were at the SVP level and 27 per­cent held VP ti­tles. The rest we can as­sume are direc­tors and even man­agers—and that’s at com­pa­nies with rev­enues of no less than $5 bil­lion dol­lars in 2017.

Ac­cord­ing to re­search from CIO mag­a­zine, 70 per­cent of or­ga­ni­za­tions are con­tent hav­ing their high­est-rank­ing se­cu­rity em­ploy­ees re­port to the CIO. And that’s a prob­lem. It means that the or­ga­ni­za­tions’ top cy­ber watch­dogs are a long throw from their ul­ti­mate bosses—boards of direc­tors—and the other key busi­ness lead­ers re­spon­si­ble for mit­i­gat­ing strate­gic busi­ness risks. Even com­pa­nies that claim to have a CISO aren’t re­ally fo­cused on the prob­lem at the high­est lev­els be­cause that in­di­vid­ual is still re­port­ing to the CIO. That means they are typ­i­cally no higher than a di­rec­tor or se­nior man­ager and aren’t a mem­ber of the C-suite, nor a cor­po­rate of­fi­cer.

Three glar­ing prob­lems arise from this anachro­nis­tic ap­proach to se­cu­rity gov­er­nance:

• In­evitable con­flicts with their boss (the CIO), whose prin­ci­pal job is to de­ploy new tech­nolo­gies that drive prof­its and ef­fi­cien­cies.

• CISOs un­der CIOs aren’t in the po­si­tion to align se­cu­rity pri­or­i­ties with the com­pany’s other strate­gic busi­ness goals.

• CEOs and board mem­bers need con­stant and reg­u­lar in­ter­ac­tion with their com­pany’s cy­ber­se­cu­rity ex­pert to build trust and rap­port. They don’t get that from peo­ple far down the or­ga­ni­za­tional chart.

To Peters, and many other work­ing CSOs, re­sis­tance to el­e­vat­ing the CSO po­si­tion flies in the face of what he sees hap­pen­ing all around him: namely, re­cent multi-hun­dred-mil­lion-dol­lar breaches at com­pa­nies such as Merck, Maersk, and Equifax. But there are signs of im­prove­ment. Af­ter a ma­jor cy­ber­se­cu­rity in­ci­dent a few years ago at Iber­drola USA (since re­named Avan­grid), the Rochester, New York-based elec­tric util­ity com­pany pro­moted Keri Glitch to vice pres­i­dent and CSO re­port­ing di­rectly to the CEO. It’s a trend Glitch is notic­ing at other util­ity com­pa­nies. At her cur­rent job with the Mid­con­ti­nent In­de­pen­dent Sys­tem Op­er­a­tor (MISO), she was hired di­rectly into a true CSO po­si­tion, re­spon­si­ble for se­cur­ing an elec­tric­ity trans­mis­sion sys­tem span­ning 15 states that run north to south, from Michi­gan to Mis­sis­sippi.

There’s an im­por­tant caveat here: Glitch never lob­bied for the new po­si­tion at Iber­drola; it was en­tirely the CEO’s call. In fact, in al­most all cases where man­ager- or di­rec­tor-level CISOs have made the case for the el­e­va­tion of the top se­cu­rity po­si­tion, it was seen as mere self-pro­mo­tion and quickly de­nied

The cur­rent ap­proach to cy­ber­se­cu­rity isn’t work­ing. In fact, only 15 per­cent of cor­po­rate boards are com­pletely sat­is­fied with the level of cy­ber­se­cu­rity re­port­ing they’re get­ting from man­age­ment, ac­cord­ing to the Na­tional As­so­ci­a­tion of Cor­po­rate Direc­tors. It’s not dif­fi­cult to imag­ine why. Most haven’t re­or­ga­nized their com­pany’s man­age­ment struc­tures to con­front to­day’s grow­ing cy­ber­se­cu­rity risks. Times have changed, and the change needed to con­front real and press­ing dig­i­tal threats needs to come from the top of ev­ery or­ga­ni­za­tion.

“It’s time for or­ga­ni­za­tions to ap­point CSOs with both tech­ni­cal and busi­ness lead­er­ship at­tributes. Most CISOs are far too pi­geon­holed to ef­fec­tively deal with the ma­te­rial na­ture of at­tacks and help CEOs nav­i­gate these tur­bu­lent times. MICHAEL ASSANTESANS In­sti­tute

Source: Na­tional As­so­ci­a­tion of Cor­po­rate Direc­tors

Newspapers in English

Newspapers from Zambia

© PressReader. All rights reserved.