The CSO or the CISO: which is best placed in the corporate hierarchy?
Chair: Martin Gill
Mike Hughes – ISACA Central UK Chapter
Col Inderjeet Singh – Cyber Security Association of India (CSAI)
Dave Tyson – Apollo Information Systems
Mike Hughes notes evidence that the two worlds of physical and logical are converging is ever present and visible to more people via smart homes, smart offices and smart cities. Achieving these sorts of outcomes requires a multi-disciplinary team. That said any heralding these initiatives as examples of security progress needs to be mindful of the inherent security weakness in a key feature of these developments, the Internet of Things. Meanwhile, the pandemic has forced a rethink, it has made security people think differently; working from home on home networks using home routers presents another dynamic security challenge. In an engaging discussion about the roles of the CISO and CSO you will hear Mike make some interesting points about the collective need for all security personnel to understand the business risks (which of course are varied) and to be able to speak the language of business. Showing value is key and that is the route to being in a position to make key business decisions and to having budget requests supported.
Col Inderjeet Singh notes that there is already considerable overlap between the roles of the CISO and CSO. You will hear him outline different responsibilities and some of the differences and similarities in the work roles. You will also hear Inderjeet discussing the paradigm shift that is taking place in the world of the CSO as technology is commonplace and it has a cyber element to it, and newer technologies are coming to the fore which offer new challenges such as the more widespread adoption of facial recognition and voice biometrics. He talks about a ‘bloody line’ between the CISO and CSO; about how reporting lines differ; how each role has limited opportunity to show business acumen (however desirable that may be); how modern challenges are being met head on by many in the workforce who have not been best prepared. Crucially he notes that although merged teams have merit, the mindsets are different, doing both is difficult and we should not underestimate that.
Dave Tyson starts by dropping what he calls a ‘grenade’ by stating that arguing the difference between the importance of the CISO or the CSO is a ‘silly argument’ when the overriding objective is securing the organisation. He makes the point that in any event the amount of money spent is not related to the security in place, it is not just a case of having security it has to be used wisely. Similarly, how an organisation assesses risks has no relevance for others; technologies are different and so then are risks, people, cultures etc differ too. In short making comparisons is problematic. Moreover, Boards do not understand cyber, potentially giving the CISO an advantage where that person is the main knowledge point. Dave pushes the case for a holistic approach emphasising the need for all security to think in business terms `and for security to be ruthless in focussing on busines outcomes. To do this well it requires all security personnel and those that manage them to be bold in being prepared to step outside their comfort zones.
This webinar focussed on the benefits of the CSO and CISO working together but also in understanding the realities that make that problematic. Whether it is about the need to better understand the ways in which their respective skills can best be harnessed, or the need to engage in understanding the business as the starting point and draw the worlds together that way, or about security personnel being prepared to be bold and think differently, they are all issues which will see play out. Many of will be watching carefully.
13th May 2021