CIOReview
| | NOVEMBER 202019CIOReviewCXO INSIGHTSFormer CSO at Facebook and Yahoo, Alex Stamos perhaps summed it up best when he said,"It's kind of a crappy job to be a chief security officer" because "it's like being a chief financial officer before accounting was invented".The absence of an executive playbook and lack of a universal language to communicate with the business can be overwhelming. But while working in cybersecurity I've observed a few structural differencesthat elevate some teams ahead of the rest; there are often things they do whichhave made them more successful.STRUCTUREThe first thing to say is structure isn't about job titles. Nor is it about technical specialists (more on that later), this is about some key roles in cybersecurity teams that I've seen deliver transformational effects.A cybersecurity leaderThis is the strategic cybersecurity leadership position in an organisation and is ultimately responsible for cybersecurity performance. The leader (usually the CISO) needs to think bigger than preventing ormanaging the next incident; they must formulate a planthat articulates where they are now, where they want to be and how to get there.They are responsible for building digital resilience across all critical business functions. With the average tenure of a CISO often less than 2 years, it appears many organisations areover-emphasising the operational aspects of cybersecurity and not placing enough value on retaining a custodian to look after the long-term interests of the organisation. The CISO needs to answer severalresilience and team performance areas such as:· Developing the organisation's digital resilience capabilities to a performant structure.· Continuously adopting the best from others whilecreating the team's own standards to achieve the vision.· Contributing back to the cybersecurity community and raising professional standards.The CISO reporting lineis debated frequently and a lot has been said of the conflicts of interest reporting to a CIO. But thecommon success factor I've seen is whethermessagesreliably reach the board in terms that they can understand and objectively assess. In this sense, it is important that cybersecurity is effectively communicated in the context of business performance and other operational risks. At the same time, the importance of the board's role in performing oversight and challenge of the CISO and his team is critical (see Non-Executive Director). Strategy, intelligence&analyticsThis is someone responsible for promoting the use of factsto make better decisions. The role focuses on data and evidence, whether that is at the technical and tactical levels of security operations and application development, operational level of risk management or strategic level of governance, technology strategy and resilient business performance. Across all business levels, it is rare that non-security people care about security argumentsand so this role needs to be expert at translating between data and technology specialists and business context. W he nc ol l e c t e d, wrangled, and analyzeddata can provide tactical, HIGH PERFORMANCE CYBERSECURITYBy Simon Goldsmith, Senior Director Information Security APAC, adidasSimon Goldsmith
< Page 9 | Page 11 >