The evolving role of the CISO in line with executive management expectations – Roundtable


Jan De Blauwe, COO & Managing Director NVISO
Fabrice Clément, Director of Security Governance & Investigations Proximus
Marc Vael, Platform CISO Packaging & Color Management at Danaher Corporation
Claudio Bolla, Group Information Security Director INEOS
Moderator: Georges Attaya, Solvay Brussels School of Economics and Management

Cyber security remains an urgent and complex challenge for companies of all sizes. But how to instill this urgency in top-management and board levels, with appropriate information? Who better to answer this question than top-cyber security practitioners, at the 2021 Belgian Cyber Security Convention (BCSC)?

The bottom line for CISOs or other top people responsible for cyber security is to have communication lines with top executive management and the company’s board level. It is important to regularly communicate with the latter (e.g., at least once or twice a year).

The message of the CISO must be in tune with the background and expertise of their executive and board audience. Even if the people at board level do not necessarily have a technology background, they quite often are tasked with specific fields of interest, possibly technology/security related subjects. Of great help is for CISOs to have an executive sponsor, helping to establish a link with the board. Your communication with top executives and board members must fit their top of mind concerns, and for yourself, you must determine what you want to get out of meeting. Do understand that it’s the duty of the board to make strategic decisions in order to strengthen operations, and reduce risks to the company by enabling appropriate measures. They must see the benefits of investing in cyber security.

How to inform?
A CISO can include in his communication elements as updates on threats, new aspects of the cyber security landscape, constraints (e.g., new regulations) and updated security plans. Make every communication into a kind of ‘training’ for executives and board members, by making them understand the cyber security landscape. Keep their attention going by ‘storytelling’: make it real, e.g., by referring to incidents published in the press. Use clear language (e.g., no acronyms). A final element concerns the budget. Don’t go into details about spending items, but ask for an envelope, to implement security objectives.

It certainly helps if the company’s sector already has a security and/or safety tradition (e.g., banking, telecom, chemical…). Increasingly, it is necessary and possible to establish a link between operational security (e.g., production systems) and information security (e.g., billing systems), stressing the need for a comprehensive/holistic approach. The use of metrics may help, but facts often are more useful. Make clear what are the risks to the business (important in risk sensitive/risk averse industries). What would be the impact on business in case of an incident? It is important that board members can make company/business decisions based on your info. Ultimately, a relationship of trust must be created, and the purpose of communication should be to instill a cyber security culture throughout the company, top to bottom.

Be accessible!
Above all, as a CISO, be available at anytime to top management and board, in case of questions (or problems)! Any question is a good omen, as it proves interest. And do expect the question: “Are we secure?” Answer this question in function of the business interests, and draw a roadmap for a more secure business operation (particularly in view of new or acute threats, e.g., ransomware). Actually, what they really mean is “What is sufficient expenditure to be secure?” Or better, nowadays: “How much must we spend to bring value to the company?” Also, questions may be raised about security throughout a value chain (e.g., security posture of suppliers…). And yes, do expect questions about cyber security difficulties the board members themselves experience!

You can (re)watch the roundtable clicking on this link. The  recording can be found in the section 7 – Belgian Cyber Security Convention.

Share this useful content with friends:

Follow us on social networks:

Other blog posts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Share this useful content with friends:

Follow us on social networks: