The Elephant in the Room That No One Wants To Talk About

Executive Summary

There are some major inherent flaws in the way Information Security is governed and managed in corporate Australia (as well as Government departments in all levels of Government).

They are:

• There is a disconnect between the executive leadership, the board, and the CISO,
• The role definition of a CISO is confused and completely inconsistent,
• The reporting line of the CISO should be to the CEO,
• Information Security Metrics should be introduced that are leading indicators and be reported to the board on a regular basis. If you can’t measure it, you can’t manage it,
• Security is a people first / culture issue – not a technology nor business one only, and;
• Organisations are not focussed enough on what controls should be in place to protect the data it transmits, processes, and stores. In many cases, it doesn’t even know what data they transmit, process, or store.

This paper addresses these points with the objective of addressing the problem statement that exists in corporate Australia and Government regarding Information Security.

What are the things that are commonly going wrong leading to material information security breaches? How did organisations not see this coming and prevent it?

In the year 2022, particularly in the month of September and October, there have been a number of disclosures relating to large scale cyber security attacks resulting in ongoing national mainstream media attention. Significant corporate security breaches in Australia have resulted in the loss of identity data, financial data, and health data in millions of people who have trusted those organisations who were hacked with their data.

A key point to make is that these issues aren’t just happening now. These types of attacks have been ongoing for a number of years, and the security industry has found it hard to get mainstream media attention in relation to these types of attacks. What is perhaps different at this time is the scale of impact of some of these attacks which have attracted nationwide attention on an ongoing basis. Once nationwide mainstream attention occurs, it generally follows that the media will remain focussed on this issue for some time.

This paper looks at the root causes of why these events continue to occur.

The information security industry has been constantly talking about company boards and CEO’s needing to take Information security more seriously. This has been stated for almost a decade. However, the reality is, the boards and CEO’s of corporations, government bodies and the like have been and are taking Information Security seriously for at least five years. It isn’t reactionary from the last couple of months.  So, what is going wrong?  Why are we hearing this constant allegation?

What is occurring is that there is a disconnect between the Chief Information Security Officer (“CISO”) and executive leadership.  Unlike the rest of the CxO suite, the CISO is not considered an executive role by the CEO. This has led to the CISO role being diminished, which also results in lack of capable senior executive CISO’s. CISO’s need to have an ability to properly articulate to the board and senior executives what the current residual risk position is using a taxonomy, language, context, and metrics that the board and senior executives understand and operate within. Boards also lack information from CISO’s in relation to what should be being done, how to measure those things, and the implications of not doing those things – again in the context of how a board operates, governs, thinks, and makes decisions.

This goes to the heart of the definition of the role of the CISO. The definition of the CISO role in a word is confusing. It is only a tiny minority of CISO’s in Australia that are actually senior executives themselves and share the same responsibilities as CFO’s, COO’s, CEO’s, CIO’s – ie other c-suite executives. The remainder with that title are effectively a Head of Information Security or a Information Manager, therefore lacking in the executive skills required to execute the CISO role.

Many in the Information Security industry are divided as to what the definition of the CISO role should be. Some suggest that the CISO should have a range of information security certifications (see AISA Information Security survey 2022). Many come from engineering and technical backgrounds and see the CISO role more like that of a lawyer or accountant.

However, those at a senior executive level who hire CISO’s have stated that they do not look for certifications when hiring (again, see AISA Information Security survey 2022).

So, there is another disconnect between many that aspire to be a CISO and aren’t even thinking about it as being a senior executive role and the requisite skills required to be a senior executive, and what senior executives are looking for when hiring a CISO.

A CISO going forward must be a senior executive role reporting directly to the CEO. The debate (not that there is even one effectively happening) for that is over. The results are in. Information Security breaches are mainstream, costing organisations billions of dollars to rectify post breach. Why would this not be a direct report – how could a CEO not want this at their top table?

In addition, whilst boards do take information security seriously, many still lack the expertise to effectively interrogate the CISO to appropriately understand and appreciate the real risks that the organisation they govern faces. This is something that Chairpersons of boards need to address by ensuring that appropriate diverse skills are at board level. Almost every organisation requires technology to operate, and most of those organisations would be processing and storing sensitive information. This is relevant to every company registered with ASIC.

What is the role of a CISO?

As stated above, the definition of a CISO role in a word is confusing.

A CISO is a senior executive and should enjoy the same recognition that CFO’s, CIO’s, COO’s, CRO’s currently have. The world has evolved. Technology is now at the forefront of every company registered with ASIC. Sure, this can’t be seen as absolutist, and there is relativity at play, and that simply is the difference between what sensitive data organisations process, transmit, and store.

With a CISO being a senior executive, they must be commercial, pragmatic, articulate, engaging, people centric, transformational, tenacious, strategic, ethical and value based; and be above reproach. As well, they must have technical skills in risk management, technology, information management, compliance, ability to understand contract legalese, ability to negotiate, sell, understand internal controls, audit, be astute, ability to consume large amounts of data and quickly make sense of it, connect unseemingly connected dots, be able to work well with law enforcement, connect with the industry, and be able to have a seat at the executive table and contribute to all aspects of the business. In other words, the traits of an executive leader.

Often there is debate as to whether Information Security is a business issue or a technology issue.

It’s a people first issue. All the money in the world can be thrown at Information security with technology married to business requirements and failing because of people. Culture eats strategy for breakfast.

Always lead with a people first agenda. This includes people metrics, executive leadership, culture, engagement from everyone. Getting that right is a monumental step forward in getting the right security posture.

As for it being a business or technology issue. It’s both. Just people first.

So again, looking at the attributes for a CISO, it’s a senior executive role that is very much people and cultural oriented. They aren’t there to police the organisation, they are there to engage with it and be part of the competitive landscape that their organisation faces and must provide solutions that enable the business to succeed. Security is not a tax for doing business. It is now a competitive edge given that clients and customers care very much about what organisations do with their information and/or finances.

 In terms of reporting line, as mentioned above, the CISO is just as important now as a CFO, COO, CIO, and CRO. The CISO must report directly to the CEO. There are very few companies in Australia that currently do this; approximately 1% – there are no actual surveys available with quantifiable data so using anecdotal data. This is a fundamental failure of both the part of the CEO and CISO in not being able to appreciate that this is required. 

Having a CISO report into a CIO fails (or another role that is not the CEO).  The CISO must be independent of all other roles, and its importance must be recognised for what it is. With the recent breaches occurring and the impact it is having on the organisation (another entire paper can be written about the impact it has on their clients / customers), the seriousness of it, the consequences of it are no different to any other major negative event that an organisation would suffer under other senior executive roles. The CISO, with the right skill set defined above, can then help navigate the organisation through a crisis, and better yet, help prevent one from occurring in the first place.

How to engage effectively with the C-suite and Board and obtain the appropriate attention and budget required?

Let’s assume for a moment that the CISO now reports to the CEO and has the requisite skills outlined above. What happens now?

Most boards (appropriately) understand numbers, metrics, and the management of them. In other words, if you can’t measure it, you can’t manage it. So CISO’s must communicate and engage a board in the same way as boards operate today.

 CISO’s must create (with the help of the organisation) a series of metrics that the board can measure the efficacy of Information Security. Without that, it is going to be extremely difficult to strike the right balance in terms of focus and attention that Information Security requires, and where that focus must be placed. There are several metrics that a CISO must consider providing to the board that are leading indicators of the efficacy of the Information Security posture of the organisation, including:

1. People and culture – do staff have information security KPI’s in their performance reviews? If so, what are the overall trends showing from performance review period to the next?  What security awareness programmes are in place and is there evidence that there are positive behavioural changes as a result?  Is there a culture of people putting their hand up and saying “we should not be doing this” despite a potential short term negative commercial outcome? Does the executive leadership team lead by example?
2. Vulnerability management – does the organisation know what vulnerabilities it has at any given time? Does the organisation know how long it takes to remedy the critical and high vulnerabilities? Does the organisation have trends on whether it’s improving or deteriorating?
3. Patch management – how often are patches applied?
4. Incident management – how well does the organisation detect, identify, manage, and recover from security incidents?
5. Change management – how do changes to the organisation affect Information Security?
6. Application Security – is the application security model dependable and operate as intended?
7. Regulatory impacts – is the organisation compliant with relevant regulation?
8. Financial metrics – what is the optimised level and purpose of spending on information security?

This therefore presents to boards meaningful numbers and trends that they can easily identify with, allowing the board to focus on the areas that matter. Naturally, if the above metrics don’t match where the key risk areas are for a particular organisation, modify the metrics. The above ones are simply used as a guide or suggestion for a starting point. 

In terms of the senior executive leadership, a key reason why the CISO must report to the CEO is if the role is not inherently part of that team, then the above metrics and resultant actions required will be missed. No one can advocate, lead, and drive improvement in those areas better than an effective CISO. Therefore, an organisation blunts itself on these issues and risks if it relies on a non CISO to be the conduit at the table.  Some executive leaders might argue that it is not the role of executive leadership to drill into the details.  In part, that is fair – especially in terms of the size of the organisation.  However, the above metrics can be presented on one page and then it provokes a senior executive discussion at the appropriate level to continue astute focus on these matters. That discussion can’t be held without the CISO present. It must be baked into the DNA of the organisation. It should be considered no differently from the financial performance of an organisation, which is most certainly discussed at the senior executive level.

How does a board and c-suite know what the right amount of budget to allocate to information security is, and what amount of security is enough? 

Balancing cost and benefits is what separates standout leaders from their counterparts. A risk based approach in information security is exactly this: applying a methodology to balance costs and benefits through the application of risk.

Information Security has been systematically underfunded over the past decade which has given rise to the cyber attacks we see today. The compounded annual growth rate of information security budgets outstrips most expenses in corporate balance sheets of recent years which is further evidence of the situation our industry has found itself playing catch up with a highly successful and emboldened group of global attackers capitalising on our mistakes.

The CISO is left battling on all fronts in a highly contested environment and must use the application of risk to best address the organisation’s security shortfalls with a limited budget. The standout security leaders are those that understand the threat (adversary) to their organisation or industry and map this threat against their security posture (risk) to effectively deploy their budget (people, process, technology) to best mitigate these risks.

An example of where this is well executed is where a CISO of a well established organisation was made aware of a credible and relevant threat to their organisation against publicly exposed infrastructure servicing their customer. The business could not afford for this customer application to be cut off from the world and the protection control that would mitigate against this attack would take four months to implement regardless of any budget constraints. Considering the business criticality, the CISO decided that whilst this waiting period was unavoidable, they would recommend the business take a risk based approach of assuming that a breach would take place and swiftly put in place 24 hours per day, 7 days per week people and technology monitoring of this exposed infrastructure to positively know if the attack would take place. The CISO furthermore put in place a strong process to allow for the infrastructure to be closed down immediately should a positive breach be identified. Although the threat remained and the protection measures were underway, this CISO made a pragmatic decision by providing to the business a risk based approach given the risk to their business was so high in this circumstance that all measures needed to take place over other competing security priorities.

Taking a pragmatic approach that is people led, and engaged with the business, coupled doing it in the form of risk management, will be key in striking the right balance in funding Information Security. Using the metrics detailed above, plus the risk register, allows the business to effectively make informed decisions, again with the CISO having a voice at the table.

So what now?

To get where organisations must get to as outlined in this paper, transformational change must occur. It is not a step change. It also is not a slow burner. Organisations that move quickly will be the ones that will end up with the competitive edge and a much more effectively risk managed information security environment.

This is a fundamental shift in thinking and approach. Some senior executives may even find the suggestions in this paper offensive and/or that it is a threat to them. This must be overcome. 

One of the best ways to achieve transformation is to seek outside help. There are so many areas that need to be addressed including changing the thinking of the board, the CEO, the executive leadership, finding a capable CISO, changing the culture of organisations. A strategy and plan must be developed and implemented. Budgets must be assigned to get this done. Priorities must shift.  It is that significant and only those that have the foresight, appreciation of the challenge ahead, and the appetite to perform this level of transformation, will be the better CEO’s of the future, and the shareholders of the organisation, the customers / clients of the organisation, and the staff will be the beneficiaries of it.

Most organisations are not close to undertaking the above. As stated earlier in this paper, only about 1% of organisations have the CISO reporting to the CEO. This demonstrates the sheer challenge ahead.

The objective of this paper is to start the discussion of the elephant in the room. It is time for organisations to adapt and change in this wonderfully technology data driven world that is enjoyed by most and keep security and privacy breaches at bay. Like it or not, CISO’s are a senior executive level position that must report to the CEO’s. Get over that hurdle first. Appreciate it, understand it, and then move forward.

The big question is – are you up for it?