Tag Archives: CISO

Looking to improve cybersecurity? Fire some CEOs

Great Article by Bill Siwicki

Running security and IT under a CFO or chief administrative officer is bound to be problematic because they typically lack a technology background. One expert’s alternative: Empower CIOs and all employees to innovate a culture of security.

MansurHasibhitnThere’s a big problem thwarting cybersecurity today and it has to do with people – those at the top specifically, according to Mansur Hasib, a cybersecurity professor at the University System of Maryland.

“Many executives have taken the view that cybersecurity is control of people, limiting people’s use, essentially telling people they are dumb, that they cannot use technology, that their ability to load software on their computers will be disabled,” said Hasib, who wrote the books “Cybersecurity Leadership” and “The Impact of Security Culture on Security Compliance,” and earned a doctorate in cybersecurity from Capital Technology University in Laurel, Md. “Most companies run IT and cybersecurity where IT professionals live in these hallowed halls and they do not share knowledge.”

As part of his doctoral dissertation on cybersecurity in 2013, in fact, Hasib conducted a national study across a wide swath of organizations in the U.S. and found that half of healthcare entities operate IT and cybersecurity efforts through non-IT officers such as the CFO or the chief administrative officer.

Further, one-third of healthcare organizations have no CISO and one-fifth have no plan to hire a CISO anytime soon. He said this is an enormous problem for healthcare cybersecurity today.

Hasib will speak at The HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2016, in Los Angeles, California.

“Anthem, which had the biggest security breach in healthcare, runs IT through its chief administrative officer,” Hasib said. “These executives, with their MBA backgrounds, have no clue about IT and security, so why is this person in charge of it? Yes, they have a CIO, but no real CIO should work for a CFO or CAO. If I am a CIO and I am not reporting directly to the CEO, then I am not a CIO.”

That problem starts in graduate schools, Hasib said, where the lack of focus on IT or cybersecurity is partially responsible for what London Business School researcher and professor Gary Hamel determined, which is that innovation and productivity in the U.S. are half of what they were in 1972.

Individuals and employees, on the other hand,  are armed with greater access to technology than they have ever had. Today’s mobile phones and tablets, for instance, effectively democratize IT by putting it in just about everyone’s hands. As a result, the concept of technology run by a privileged few no longer works.

“That’s why there is a massive failure – the trust divide between executives and the common people,” Hasib explained. “Employees realize they do not have access or a role. But the reality is everyone handles data and technology, therefore the ultimate cybersecurity posture of any organization depends on people. Behavior of people determines ultimate success.”

Hasib learned about that massive failure when Anthem breached his own health data. And because of Anthem’s reporting structure, Hasib has a cure to the company’s cybersecurity woes that is blunt. “In order to improve cybersecurity, fire some CEOs,” he said. “If any CEO thinks their CFO can run their IT and cybersecurity, then that CEO does not belong in the CEO role.”

Hasib went on to say that the reason there has been such a decline in innovation in America – innovation by employees that is needed to bolster cybersecurity – is because Corporate America has put leaders on an anointed pedestal.

“We think authority is leadership, but it is not – knowledge is leadership,” he said. “Every one of us has some knowledge we can use to guide others in whatever it is we know. Leadership is guiding someone to a purpose, usually where that person wants to go. Management is forcing someone to go where you want that person to go. It is much better to inspire people and lead them to where they want to go.”

As such, any C-suite officer can inspire values in employees throughout an organization, values that in the case of cybersecurity can include, for example, loyalty, trust and innovation.

“A company that does not have the loyalty of the people in its organization will never have cybersecurity,” Hasib said. “Great companies have a culture where they allow people to take risks – and understand innovation by itself has risk.”

Hasib cited as an example a nuclear power plant he studied. Needless to say, safety was a value its leaders promulgated throughout the organization.

“There, safety is the culture,” he explained. “Every employee is incentivized. Their business is based on how many hours they can go without a safety incident. In healthcare, does any organization give incentives for how many days without data loss? You can certainly have a goal of zero data loss, that is easy enough. What if you rewarded people for that? Everything is negative today, and people are not excited about negative stimulus. Leaders should give people incentives and reward innovation.”

Cybersecurity must indeed be about continuous innovation, Hasib added. Without innovation, an organization will never have cybersecurity, and it’s people who create a culture of innovation.

Hasib will speak at The HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles, in a session titled “Healthcare USA: How to Create a Human Firewall,” May 11 from 1:45-2:30 p.m. Register here

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Rise of the CISO: Why the C suite needs a security chief

The CISO role is growing in popularity, but what does it actually mean for your business? Here’s what the role is responsible for and why CISOs are multiplying in the enterprise.

Businessman Showing A Shield Symbol

The latest c-suite executive role to step into the spotlight is the chief information security officer, or CISO. Even more focus was put on the CISO role when, in February, President Obama announced that the US government was planning to hire its first ever Federal CISO.

Obama’s announcement further justified what many organizations were already doing, which was assigning a specialized executive over security issues, instead of leaving them to be handled by the CIO or CTO, whose top priorities are typically a mix of innovation and operations. And, while the CISO is not a new role, it is still gaining popularity in the enterprise.

So, we’re going to break down what it is and why you might need one. Let’s start with defining the role.

What is a CISO?

Simply put, the goal of the CISO is to protect the business at all costs against present and future digital security threats.

Andrew Hay, CISO at DataGravity, said, “The CISO role is a true hybrid role that is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organization to all of its stakeholders.”

And that “all stakeholders” bit is key—the CISO isn’t going to hold court with the executive team only. True CISOs will be working with employees, customers, and other partners as well, Hay said.

Additionally, the CISO role isn’t the typical “vision caster” most people associate with a CXO title. The CISO role is a mixture of strategy/big picture thinking and tactical skills. Most CISOs are coming from an IT security background, so they know how to directly implement and work with the systems they are recommending.

 In terms of who they report to, Entertainment Partners CISO John Tooley said that he believes the majority report to specific executives, and not just the CEO. In his tenure, he said he has reported to the CIO and CTO. Other CISOs may report to the COO or the CFO.

What does a CISO do?

In a broad sense, the CISO’s functions revolve around risk—identifying risk, assessing risk, presenting risk, and implementing programs to combat it. The difficulty in the role, Tooley said, is doing these things in a way that makes sense to the business, but is also effective in driving real change.

Identifying and assessing risk are skills that are typically developed as a combination of the training a CISO has received throughout his or her career and the sense of intuition that develops over a long time spent in the industry. Presenting the risk becomes a bigger challenge in that it requires specific communications and sales skills to get other leaders on board with a solution.

“As opposed to other C-level executives, I think there is more of a communication challenge, taking highly technical language and translating it into business value and need. There is also the balance that needs to be struck between empowering employees and securing the enterprise, since insider threats represent one of the biggest security concerns,” said Ari Lightman, director of the CISO Program at Carnegie Mellon University’s Heinz College.

The CISO must champion the organization’s security in all that he or she does, setting security goals and milestones to help measure the success of that strategy. Lightman said some of the day to day functions that comprise the role may include the following:

  1. Secure the enterprise’s digital assets
  2. Educate and train employees and the extended ecosystem on security best practices and procedures
  3. Define and monitor access and permissions
  4. Hire and train security personnel
  5. Define budgets for security equipment and training
  6. Work with other C-level executives to ensure compliance with security procedures

And, that above list is not exhaustive. Ultimately, a CISO’s role will also be shaped, in part, by the needs of the industry they operate in and the needs of their employer.

The rise of the CISO

So, why are we seeing the CISO rise to prominence now? For starters, security is no longer purely a technological issue, and can no longer be constrained solely to IT.

“So there is awareness among senior management now that information security is really a risk issue, and risk is a business challenge that needs broader solutions.,” Tooley said.

Another big issue is growth—there’s just more technology in the workplace than there has ever been before and it’s affecting organizations in new and interesting ways. The addition of DevOps, cloud, IoT, BYOD, and big data mean that the attackable surface is growing as well, and it needs a guardian.

“As a result, industry guidance, regulatory compliance standards, and the realization that security is a key component in business continuity and operational excellence, has led to the realization that the safety, security, and compliance of a company’s IT and information assets require an advocate at the highest level,” Hay said.

The 3 big takeaways for TheDigitalAgeBlog readers

  1. The CISO is an executive role that combines technical expertise with strategic vision to champion a security strategy for an organization.
  2. The CISO is responsible for acknowledging, analysing, and presenting risk. The communication of risk requires specific skills to help “sell” the solutions to mitigate against potential threats.
  3. The role itself is growing because the breadth of technology being implemented in business continues to grow. A CISO must understand how security risks affect the bottom line as well how they impact IT operations.