The evolving role of the CISO in line with executive management expectations – Roundtable


Jan De Blauwe, COO & Managing Director NVISO
Fabrice Clément, Director of Security Governance & Investigations Proximus
Marc Vael, Platform CISO Packaging & Color Management at Danaher Corporation
Claudio Bolla, Group Information Security Director INEOS
Moderator: Georges Attaya, Solvay Brussels School of Economics and Management

Cyber security remains an urgent and complex challenge for companies of all sizes. But how to instill this urgency in top-management and board levels, with appropriate information? Who better to answer this question than top-cyber security practitioners, at the 2021 Belgian Cyber Security Convention (BCSC)?

The bottom line for CISOs or other top people responsible for cyber security is to have communication lines with top executive management and the company’s board level. It is important to regularly communicate with the latter (e.g., at least once or twice a year).

The message of the CISO must be in tune with the background and expertise of their executive and board audience. Even if the people at board level do not necessarily have a technology background, they quite often are tasked with specific fields of interest, possibly technology/security related subjects. Of great help is for CISOs to have an executive sponsor, helping to establish a link with the board. Your communication with top executives and board members must fit their top of mind concerns, and for yourself, you must determine what you want to get out of meeting. Do understand that it’s the duty of the board to make strategic decisions in order to strengthen operations, and reduce risks to the company by enabling appropriate measures. They must see the benefits of investing in cyber security.

How to inform?
A CISO can include in his communication elements as updates on threats, new aspects of the cyber security landscape, constraints (e.g., new regulations) and updated security plans. Make every communication into a kind of ‘training’ for executives and board members, by making them understand the cyber security landscape. Keep their attention going by ‘storytelling’: make it real, e.g., by referring to incidents published in the press. Use clear language (e.g., no acronyms). A final element concerns the budget. Don’t go into details about spending items, but ask for an envelope, to implement security objectives.

It certainly helps if the company’s sector already has a security and/or safety tradition (e.g., banking, telecom, chemical…). Increasingly, it is necessary and possible to establish a link between operational security (e.g., production systems) and information security (e.g., billing systems), stressing the need for a comprehensive/holistic approach. The use of metrics may help, but facts often are more useful. Make clear what are the risks to the business (important in risk sensitive/risk averse industries). What would be the impact on business in case of an incident? It is important that board members can make company/business decisions based on your info. Ultimately, a relationship of trust must be created, and the purpose of communication should be to instill a cyber security culture throughout the company, top to bottom.

Be accessible!
Above all, as a CISO, be available at anytime to top management and board, in case of questions (or problems)! Any question is a good omen, as it proves interest. And do expect the question: “Are we secure?” Answer this question in function of the business interests, and draw a roadmap for a more secure business operation (particularly in view of new or acute threats, e.g., ransomware). Actually, what they really mean is “What is sufficient expenditure to be secure?” Or better, nowadays: “How much must we spend to bring value to the company?” Also, questions may be raised about security throughout a value chain (e.g., security posture of suppliers…). And yes, do expect questions about cyber security difficulties the board members themselves experience!

You can (re)watch the roundtable clicking on this link. The  recording can be found in the section 7 – Belgian Cyber Security Convention.

Other blog posts

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Privacy Focus Group: AI and Data Protection

The second webinar of the Privacy Focus Group on the subject of ‘Artificial Intelligence’ (AI) tackles a major challenge: how to reconcile the use of AI with the demands of GDPR, particularly regarding data protection? It is still very much unknown territory for developers, users and privacy protection officers. This webinar helps you find your way!

API Security

API’s (Application Programming Interfaces) are ubiquitous and used to interconnect all our popular web applications. Without API’s, applications cannot communicate and we would simply not be able to use the majority of the current cloud and web applications. But at the same time, because of these API’s, security threats are greater than ever. API attacks are different compared to traditional attacks: they target vulnerabilities in the business logic, and hackers exploit these zero-day vulnerabilities.

Share this useful content with friends: