Many years ago I went to the doctor with a weird arm. If I held my elbow and wrist just-so, it seemed to stop the blood supply going to my fingers. Nothing too dramatic, but worth getting checked out. I was referred to the local hospital where the specialist remarked that he had never seen anything like it and he was keen to investigate further.
“I should add that you’ve been referred to the wrong department. This is gastroenterology. We don’t really do arms. But we’d really like to take your case on.”
I’m reminded of this because it’s been a long time since we expected anyone with a specialist knowledge in a particular area of medicine to have transferrable skills to another area. No matter how much I respect the dedication to their profession I didn’t really want the gut people poking around in my arm, just like if I’m looking for some brain surgery I’m probably not going to ask a rocket scientist.
The same is increasingly true for the various fields of so-called ‘IT.' We need our ‘general practitioners’ right up to the level of CIO. But just as we don’t expect them also to be coders, we shouldn’t expect them to be experts in cybersecurity.
The cyber-threat landscape is growing. Malicious actors are at every level, from script kiddies to nation states. Ransomware, cryptomining, drive-bys, DDOS, phishing, spear-phishing, whaling – the list goes on and on. Do you remember when IT security meant turning off Office macros and not accepting floppy disks from strangers?
And now we expect the people who have had to absorb the explosion of knowledge that came with infrastructure changes (either chosen for sensible strategic reasons or foisted upon them) to also be experts in the security threats associated with every one of those choices, plus everything else that’s going on.
It’s no disrespect to anyone from the ‘the IT guy’ to the CIO who says that someone with substantial experience in Information Security should be there to provide insight, strategic direction, and a voice that senior management and the board will listen to.
Let’s take one example – phishing.
We all know the C-level executives who insist on having admin rights on their laptops because they might need to install extra productivity software out of normal IT support hours. Who really need to run Excel macros. Who haven’t updated their OS since 2015 because they can’t risk losing those years of work that they haven’t backed up to the secure server.
Even in the simplest kind of attack, these are the people whose word will be believed when an employee gets an email asking them to click on a link, make a bank transfer, or send a bunch of confidential files to this person really quickly. Don’t question my authority. Here’s the email address.
Does an organization really need a CISO just to tick the other executives off for not making sure their anti-virus software is up-to-date?
Well, no, it shouldn’t. But then, who else is in a position to speak to people at their level?
These days, every single person and every piece of technology they use is an attack vector, and the more senior position they hold, the bigger the target and the consequences.
It is the role of the CISO to make sure that an IT Security Policy exists. That it is relevant and aligned with the overall business strategy and business priorities. That it is not just some other document that’s put in the new employee welcome pack and never read.
Of course, there’s so much more that a CISO can bring to an organization.
Let me give you some thought points. Little situations that may light a spark of recognition (though obviously exaggerated for dramatic effect!):
These aren’t examples of data breaches, or evidence of hacking, or any other cyber-security nightmare situation. But if something were to happen and you didn’t have an incident plan, you couldn’t say what data had been lost, and if an audit revealed you were in breach of contract, the consequences for your reputation and even your ability to operate could be severe.
When you don’t have someone leading on Information Security at CISO or equivalent level, then you can end up with too many people each doing a little bit, or one person not quite doing enough, with no strategic overview, no sign-off, and no buy-in. It just becomes a tick-box exercise which won’t provide effective cyberattack prevention and won’t wash with the insurers if the worst happens.
The information you have, where it is stored, and how it is being transmitted and protected is no longer a thing for low-level tech people to be solely responsible for.
And let’s be clear, ‘information’ isn’t just the data you have on your servers. It doesn’t have to be the blueprints for your new miracle widget that hackers are trying to get hold of, or even your bank details. It could be details of your supply chain, copies of your invoices, how you communicate with your colleagues. It could even be what you sound like on the phone.
Realize that bringing in a CISO does not have to mean creating a new full-time C-level position at great expense. Wouldn’t it be better to bring in the experience and insight of someone who is continually learning in different environments?
These days CISO “on-demand” means this kind of industry experience can be brought in in a way that fits your organizational needs. To shape the security strategy, build the appropriate skills within the IT team, manage security within projects, or to solve particular immediate challenges. All this at considerably less cost than a full-time hire.
An ongoing CISO presence, even if in a part-time role, keeps cyber-security where it should be, in the minds of every employee at every level.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
Cybercriminals increase their attacks during tax season. This article outlines steps taxpayers can take to protect their identity and data....
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....