Being a CISO in a changing threat and regulatory landscape

In an increasingly complex regulatory and threat environment the position of the CISO has been forced to evolve. Information Age discussed this transition with Matt Palmer, who recently moved from CISO to senior director of Cyber Risk Management at Willis Towers Watson.

Cyber attacks, incoming regulations such as GDPR, and increasing reliance on data and cloud technology means CISOs are fast becoming an normal and critical part of the c-suite.

The role is fast evolving – formerly seen as IT staff, the role now covers everything from dealing with hacks, to compliance and managing technology and how corporate data is used. The necessity for this highly specialized role is also driving a war for talent.

>See also: CISOs must have the capabilities to address 2018’s greatest threats

In this wide-ranging and exclusive interview with Information Age, Willis Towers Watson‘s recently-former chief information security officer (CISO) and current senior director of Cyber Risk Management, Matt Palmer, discusses this evolution and the growing demand for CISOs.

Can you tell me about this relatively new and evolving position of the CISO? What is expected of you?

It’s changed a lot over the last ten years, but particularly over the last three or four. When I started doing this it was very much seen as a technology discipline, and we’ve seen that widen to become more enterprise-based. You now have CISO’s starting to get involved in corporate culture, in organisational policies and so on. That’s definitely happened over the last few years, but actually, in a way that’s old news. That’s what has happened.

The big change that I’ve seen over the last couple of years is two-fold: One is the role of the CISO in how the role contributes to the company’s direction. It’s previously been seen as a business protection job, very much back office and behind the scenes – your job is to stop us from tripping over your own shoelaces. The change I’m seeing at the moment, the change I’ve been living in over the last few years, is the change from the CISO being just pure business control – you take the environment you’re given and you try and fix it or make it work – to really making a contribution to what that business environment is you are working in, and then helping to make the right business decisions so that you have a level of risk you are comfortable with for the products you are supplying. That’s the number one change.

The second change is linked to this, in that it’s always been the case that the relationship between the CISO and CIO has been absolutely critical. If that doesn’t work, it all falls apart – that’s always been the case as long as there been CISOs, regardless of what their reporting line is or where the company is, the two are very close together. But, now it’s more about the other stakeholders in the organisation.

>See also: Security resolutions for 2018: CISOs and beyond

The tendency over the last few years has been for CISOs to speak to the board more widely than the CIO, but that’s not the issue. The real issue is: how do you reach and communicate with and talk to executive management below the board in other functions with other priorities and interests; so HR or finance and other areas of the business.

As we see the shift changing from being about technology to being about people to, to now finally becoming about the data, you really have to have that wider perspective and you have to operational relationships with these other functions within the business. That’s a big challenge for a lot of CISOs, either because it’s not what they’re used to, or because it requires them to have a level of business sponsorship for that, which has not been in existence before – occasionally because it challenges the CISO/CIO relationship as well. There’s a lot that CIOs need to take into account with being comfortable with this new direction, and the fact that the CISO will likely be contributing to business decisions when the CIO may be much more focused on the practicalities of operating an IT environment. That relationship then changes as well.

The next change that we’re seeing is with legislative and regulatory change. So, GDPR is a very popular topic, but there’s more to it than that. We have a global business, and we see a lot just as much in the US as in the UK, and then also other jurisdictions as well. But, in the US for example, you have things like the New York Department of Financial Services whose regulations are reaching out much wider than New York. Often they’re nationally or globally applicable. And then you have GDPR legislation, because that is focused on who that data is held on rather than where you have to be domiciled – that’s also potentially globally applicable.

So, the final change, the other part of this, is the change in this regulatory environment and the fact that it is now massively more complex. You can no longer say ‘this is the UK, we’ll do it this way,’ or ‘this is the US, we’ll do it this way’. You’ve really got to find some way to integrate these different regulatory and legislative demands, and then deliver against it. And that can mean having to track against several hundred different regulations.

>See also: Plain sailing: a smooth journey for the CISO towards GDPR compliance

This massively increases the complexity, but it also means the first thing that your managing is the compliance environment in which you are operating, as well as the risk management environment in which you are operating.

Where do you think security sits as a priority for an organisation?

Prioritising security is no longer a challenge. When I started doing this you had to make a business case to boards that they should be investing in security. You don’t have to make that business case anymore. Boards know they need to invest in security, they know that if they don’t that trouble is going to follow, they know their clients expect it and so do the regulators.

The challenge isn’t making it a priority, the challenge is helping the board understand what they should do about that priority and targeting that message. In particular, companies do still tend to focus on the technology aspect of this. Technology aspects are often expensive, they require high levels of investment and they often require lots of executive-level attention. Getting the focus on some of the cultural aspects of security can sometimes be a lot harder.

Organisations have a lot of different priorities to manage, and the amount of time and effort that needs to be invested to build a security-aware culture, as opposed to doing another computer-based testing exercise to tick a box, that’s a considerable investment, not just of money but also of colleague’s time and attention. Therefore, it’s not just about winning the board over, it’s focusing it and winning the attention of HR teams, finance teams and teams around the organisation.

>See also: What are CISOs’ motivations behind threat detection investment

CISO’s really need to move from saying I need the board to agree that we have a cyber problem that needs to be addressed, to saying I need departments and functions across my company to really understand what it is I am trying to achieve, how we can achieve it together and how they’re part of the solution. This requires much higher levels of investment in winning hearts and minds, than just focusing on a few key executives.

Is there a concern over the increasing number of cyber threats against organisations?

I think there is an acceptance that bad things will happen no matter what you do. That is now fairly well understood, and very rarely now do CISOs get asked to provide absolute security. Boards understand that it is not a realistic target. However, that doesn’t detract from the level of concern that you have, because nobody wants that incident to happen to them. Some of the incidents seen have been existential.

In the last couple of weeks we’ve seen Mossack Fonseca close on the back of the incident that they had. When you look at what triggered that, it wasn’t just technical aspects, it was also business culture, and reputational damage. Regardless of what business you’re in, and regardless of your position, everyone is concerned about this, because these are events that sometimes executives don’t survive. These are the events that stock markets don’t forgive you for, and changes how you invest and deploy capital – sometimes for years to come. So there’s definitely a high level of concern, but the challenge for the CISO now, is now we have that buy-in that we need to invest to resolve this concern, is targeting that.

>See also: Cyber security – the unrelenting challenge for leadership

Being able to go back and say we know there’s a risk, we actually understand what this risk is, what the consequences of this risk could be for us quantiviley, is crucial in communicating what options we should progress to address this. If we try and do everything, businesses will just sink cash. So, businesses need to focus and the challenge is, helping boards understand where that focus needs to be.

Cyber is not something that should be technology-focused, or focused towards the CISO and CIO, but it should be applied to wider business decisions.

Do you think this new complex, regulatory landscape is an opportunity for businesses? Or is it more of a hassle?

I think it represents an opportunity for all businesses. The opportunity is to get beyond the hype – there’s a lot of fear, concern and excitement about this and sometimes we can get a bit carried away with it. But, fundamentally when you look at what these pieces of legislation are saying, a lot of it is common sense. If you were to just imagine going into a boardroom as CFO, and saying I don’t really know where our money is, they wouldn’t be listening to you for very long. Yet, as a CISO or a CDO, the board almost expects that this is a challenge that we’re trying to get to grips with: what data do we have? When you put it in those terms, the position that we’ve been in decades past feels a little odd, when you consider that data is often a number one corporate asset, if not the number two corporate asset. We can’t be having that type of dialogue anymore. We now need to be able to know, and this is what GDPR says: what data you have, why you’re using it, where it came from, what permission you have to use it, where it’s going and how to protect it.

At its simplest, this is a reasonable and sensible set of things that company’s should be trying to do. Obviously, there are complexities in delivering it, and that’s where the real challenge is. But I think you have the choice to see regulation as an ally. To some extent you just have to make that choice, because if you fight against it, it’s not going to be an easy journey.

>See also: The GDPR is not all doom and gloom

The challenge is addressing the complexity of it, and some of these aspects are particularly difficult, so you have a more principles-based approach in Europe – principles-based approach to regulation means you get quite clear legislation where you understand the intent, but you often have to do a lot of work to find out what exactly that means; and GDPR is a great example: yes I should have adequate controls, what constitutes an adequate control?

US legislation is often much more directive, and it will say you must encrypt your databases. This is quite easy to then go and do, but being able to sit back and say is this the right thing for me to do, should I be doing this and how should I be doing this, is sometimes harder because you’re chasing that regulatory goal. Marrying those two up can be a considerable challenge.

What advice would you give for those looking to navigate this increasingly complex regulatory environment?

If I had some advice for businesses looking to grapple with this challenge, I’d say take the highest common denominator, work out what it is that you need to do to be compliant with all the legislation that is going to apply to you and then try and do that. If you find that’s not sensible then work out how do I isolate that part of my network, how do I look at this data asset differently, do different standards generally apply to this?: And then you can derisk it and treat it differently. But if you start with that highest denominator and ask what is it that I really need to achieve, then that’s a much better journey than saying what’s the minimum I need to do in each of these different jurisdictions, because then you’ll spend the years just analysing the differences in regulatory terms and that’s time consuming, and not very helpful.

How do you think the financial services industry is changing with the advent of technologies like blockchain and IoT?

There’s a lot of talk about blockchain and a lot of people are very excited about what it’s going to do in the next year or two. I’m not one of them. I think blockchain has immense potential in the future, but like many technologies, I think it will be a slow burn. We’re maybe going to see that really impact financial services, and transactions specifically, over a 10 to 20 year time horizon.

Financial markets and institutions understand how that can change the way in which they operate. I’m not expecting to see a dramatic change in operational activity in the next couple of years. What we do need to do, is make sure that we understand these technologies properly as we deploy them. It’s interesting with blockchain in particular, a lot of the initial enthusiasm around blockchain and some of the virtual currencies that were built on it, is around things like anonymity, and we now see the price of this – these are also used for fraud, or crime, as well as for legitimate uses.

>See also: Cyber security professionals blame CEOs for data breaches

We need the regulation and business environment to catch up, and we need companies to work out how they can deploy these technologies successfully. And then, we need to understand the consequences. Whilst everybody’s been talking about the anonymity of blockchain, the truth is, blockchain will allow – for the first time ever – a complete transaction history of everything that’s ever happened. That’s not anonymity, it’s potentially quite the opposite. So, you also have to work out how that plays against privacy legislation, and that’s a lot of questions to ask before you even get into how to deploy the technology in way that empowers business. I think that yes, potentially it’s big but I think it will be decades before it will materialise.

IoT’s impact will be faster. Already, this technology is impacting areas like shipping and retail. Huge areas of operations in manufacturing or autonomous vehicles are all about embedding connected devices into processes. That is a very significant change, one that is not going to wait for business to catch up. That’s one that’s happening right now, and a lot of companies are saying that this is something that is happening to others or that’s restricted to particular industries.

The truth is, it’s something we all need to focus on. When you look at different types of cyber attack, traditional distributed denial of service attacks were scary enough when we were talking about service and desktops being taken over. When you consider billions of connected devices in that, it becomes much riskier. Also, when you consider some of the limitations around those, the ability to update operating systems, the ability to control the way that connectivity happens, the knowledge of these devices and the complexity of that environment, it’s a completely different ball game for security. So, I think the IoT is going to have a bearing certainly over the next two to five years.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Attack