Dave Edwards
The role of the Chief Information Security Officer (CISO) has never been harder as cyber attacks become ever more prevalent, sophisticated, and damaging. As a CISO, you also face growing pressure from regulators and increasing expectation to act across the C-suite, while all the time grappling with a mounting shortage of cyber security specialists.
Success depends on your ability to navigate this complex and fast-shifting landscape. Key questions for you as a CISO include:
It’s important to ensure that there is clarity and alignment amongst the leadership on the cyber risk appetite and overall cyber strategy to achieve target risk positions. This includes having a clear, pragmatic plan to address the priority risks that sets out the major remediation activities and capability building required to increase cyber resilience. This will help build confidence, set the narrative and secure the right level of investment. You will need to work strategically across the C-suite to help break down complex topics and make them digestible and intelligible for senior executives.
There should be clear ‘lines of defence’ for cyber risk management, with ownership of the risks and operation of the associated controls being separated from risk management oversight and governance.
This is perhaps even more important for cyber security than in other areas of non-financial risk management, given the complexity of the threat landscape and diversity of the risks, which means that it isn’t always possible to objectively measure control effectiveness.
Having a second line of defence to provide objective oversight and challenge on risk assessment and control effectiveness will help to ensure that executives have the highest quality information on which to base business decisions.
Cyber defence must not just be seen as a security or IT exercise. Encourage executive teams and Boards to lead the security culture across the organization, emphasising their understanding, communication and action on cyber security issues to the rest of the business.
It’s likely that you’ll need to invest in training and development for your cyber security teams to handle sophisticated threats and new technologies. With cyber specialists in short supply, you can consider bringing in and upskilling talent in functions such as risk or IT. To enhance understanding across business leadership, you might also consider executive-level training and awareness sessions to better equip senior leaders to have productive conversations on cyber.
You should ensure oversight and control over your most critical third-party relationships, such as conducting risk assessments and due diligence where possible, whilst ensuring robust security protocols are in place around sharing sensitive data. But more importantly, aim to build relationships and co-ordinated rehearsed response plans so that should the worst happen, you can collaborate effectively with your partners to contain incidents quickly and restore services.
At Berkeley, we have experience of helping CISOs answer these questions through all stages of their cyber journey. We can help you to:
Discover the key cyber-related questions other members of your leadership team should consider
Strengthen your security and readiness to respond. Read more.
Ensure external stakeholders are satisfied. Read more.
Ensure your supply chain security. Read more.
Know the right questions to ask to cut through the jargon. Read more.
Enhance your security and risk management. Read more.
Allocate the right roles and responsibilities. Read more.
Create a culture of security across your organization. Read more.
Share: