IMHO: Wasted days and wasted bytes
Boards need to get serious about getting value from data.
Ten years ago, the role of Chief Information Security Officer (CISO) was almost unheard of in New Zealand. Cyber and information security tended to sit under the remit of the CIO or the CTO, buried alongside other responsibilities that fit into the broad umbrella term of IT.
Fast forward to today; cyber threats and crime are near the top of the list when it comes to risks facing organisations. High profile cyber attacks proliferate the headlines, and boards and executives are evolving their thinking about what it takes to secure data and information.
Hilary Walton, CISO at Kordia, says that more and more organisations are appointing a CISO to oversee their information security.
“I think organisations are looking for business centric CISOs to take responsibility for this work, instead of the traditional IT Manager or CIO, because of the growing strategic importance of cyber and information security,” says Walton.
“Not only that, mitigating the risk posed by cyber criminals and the threat landscape needs a calculated approach. To put it in perspective, cyber-crime globally generated $6 Trillion for hackers in 2021 – that’s more profitable than the global drug trade. Businesses, particularly those with high value data, really need a dedicated focus in this area to build cyber resilience.”
Another driver is the fact that cyber security is no longer solely about technical measures. While tools like firewalls, antivirus software and multifactor authentication (MFA) play a role in protecting against hackers, the human element is still very much a factor when it comes to protecting an organisation against a breach. A huge proportion of breaches occur due to human error – whether it be an unsuspecting employee clicking on a phishing link, or an accidental data leak by someone sharing the wrong document.
That’s why a CISO needs a good balance of both technical skills and business acumen to succeed.
“CISO’s have to earn the respect of their cybersecurity rank and file, but they also have to be able to translate technology talk for the board and c-suite, to make it easier for the top tiers of the organisation to understand the impact,” continues Walton.
Another challenge, says Walton, is that it is virtually impossible for organisations to handle all security risks together as they are unlikely to get all the resources to handle all risk, so the CISO’s ability to help the business prioritise is key.
From a soft skills perspective, a CISO needs to be curious and empathetic when it comes to risk management, in order to pragmatically make a way forward for the organisation.
They also require a growth mindset and the ability to prioritise learning with dedicated time allocation and structure to help themselves and their teams stay current on cyber security trends, technologies and processes.
“A CISO looks at a business’s cyber security posture holistically – blending strategies around people, process and technology. Governance plays a big role in cyber security in the modern workplace. One of the key things a CISO will do is set some deliverables and reporting around these three pillars as a way to quantify progress and highlight risk.”
“There is a need for leadership teams to have someone who can speak their language and translate the IT and cyber security risks into business terms. Also, there is a growing importance of change management, culture building, influencing, and communicating across the enterprise that a CISO should be undertaking, to ensure good cyber security awareness is embedded into the culture of the organisation.”
Hilary Walton CMInstD is the chief information security officer of the Kordia Group, responsible for the business-critical connectivity, cyber security and cloud solutions for clients in both Australia and New Zealand. Previously, she worked for Mi5 in London and the London 2012 Olympic and Paralympic Games leading the information security programme.
Hillary has a background in organisational psychology, security and risk management. She was also a uniformed officer in the Royal New Zealand Air Force and has written a book and developed an app on how to improve security Culture. She is a founder of the New Zealand Digital Leaders Network (NZDLN) and the Digital Culture Ideas network. Through her podcast series, and YouTube and LinkedIn channels she is a thought leader on culture change, digital transformation, IT security and cybersafe parenting.
The views expressed in this article do not reflect the position of the IoD unless explicitly stated.
Contribute your perspectives and expertise on an area of governance to the IoD membership and governance community. Contact us firstname.lastname@example.org