If I were a CEO or a Board Member I would be pissed.
It is crazy to think that a business has to handle an overhead of compliance and also manage the burden of ‘real security’.
What I am suggesting makes auditors and the CEO go ‘bananas’.
CEO asks, “Why, do I have to pay for External Audit, Internal Audit, the IT Security Department, and then have to absorb the costs of various compliance officers who are visiting and taking up staff resource time that directly and indirectly costs us money?”
The company has still not made money yet. There is no profit being generated yet!
Why is this happening?
Okay, here is what needs to happen … like really happen…
Businesses need to know how to control their intellectual capacities
Company boards need to understand the ‘Current State’ ….. period. End of Story.
When you ask the CFO for a Balance Sheet you get a Balance Sheet.
Since you don’t have an IT Security Balance Sheet what questions can you ask next?
- What safeguards are needed?
- What are acceptable levels of risk in regards to cybersecurity?
- What is a data breach response plan and how do we create one?
- Is there someone in the company who is capable of handling this area?
CEOs need to demand that there be one message.
I think that there needs to be a CISCO – a Chief Information Security and Compliance Officer (CISCO)
It will be this person who will provide the answers to the above questions.
The Chief Information Security and Compliance Officer (CISCO) will be a merger of the CIO, data security department and legal compliance departments.
It was the role of the Chief Information Officer (CIO) and/or CISO, CSO to make sure that the information assets and technologies were secure. They were responsible for creating and maintaining a vision, strategy and a framework.
Fundamentally, it was the role of the CIO and CISO/CSO to minimize the risk of the company’s information technology.
I envision that this new role of the CISCO will be a merger of these two roles. But why?
I believe that the Board and CEO are going to be aggravated with so many opinions someone will need to stand up and be the voice of the business as it relates to IT Security (real security) and compliance efforts.
It is best to look at what the CISCO will do than to ponder what is being lost with the CIO and CSO?
What role will the CISCO play?
The CISCO, will need to report directly to the board on a regular basis. This way, the board will receive firsthand the information they need to respond with the right questions that are valid and useful to the business in an aggregated fashion
The report will need to be clear, concise, succinct, understandable and, I might add, visual.
The role of the CISCO will be to convey to the board the different high level points that showcase what the company has prepared and how it has planned its security and knows how to respond to a breach.
This becomes a type of elevator speech where CISCO role becomes educational, as well as, informative. This can be done in minutes depending on complexity and with excellent visuals.
Measuring acceptable levels of risk in regards to cybersecurity
So, what are acceptable levels of risk in regards to cybersecurity?
Risk of loss has to be the primary tool of communication by the CISCO. By doing this the CISCO will transcend to a level of business communications where only true logical dialogue can happen.
- What is the likelihood of this happening?
- Am I prepared to accept the risk?
- What is the cost to mitigate the risk?
Am I prepared to pay the premium to do so? And still not have a guarantee?
What do you mean you don’t have a guarantee?
The Senior VP of Sales says she needs 5 million in spending to pull off her sales plan to support the CEO’s vision of growth.
Is there a guarantee of this happening? What happens if she doesn’t hit these targets?
As a corollary, what is the objective of the CSO and CIO?
What about the CISCO?
- Maybe it is the CISCO’s job to keep the CEO off the cover of the national news due to a breach event!
Who supports the CISCO?
It takes experts in the field to support a CISCO and provide a transparent and thorough analysis of a company’s entire IT program.
These experts can effectively explain the company’s current state using a visual framework that business leaders can understand.
The role of the CISCO is supported by the IT department, security, information technology and support systems. They will provide research and examinations of existing practises and suggestions of areas of improvement based on the company’s needs.
Armed with this up-to-date, relevant knowledge, the CISCO, will keep the board informed.
What are the benefits of a CISCO for major companies?
There will no longer be the patience at the highest level for multiple reporting entities. The roles of the Chief Information Officer and the Chief Technology Officer are already blurred.
Add to this the need for up-to-the-minute cyber-security, and it soon becomes apparent that a CEO or board does not have the time to consider and analyse these multiple reports.
How could they clearly ascertain where information and strategies overlap while looking at different reports?
Information security is crucial to the financial well-being of all companies.
What is needed is one person to oversee these important structures and to develop a clear plan that will move the company forward.
I envision that this role be taken up by the Chief Information Security and Compliance Officer.
Bill Murphy is an expert in IT Security at the CIO and CSO Level. He has developed tools to assist top level planners and executors of IT Sec Strategy and tactics. The CIO Security Scoreboard assist planners with developing and executing on IT Security strategy and tactics.