The field of the Chief Information Security Officer (CISO) is undergoing a development similar to the route taken by the CFO position in the past. The work of both officers is not essentially different, only the instruments differ. The CFO wants to obtain financial assurance, but also wants to save costs on all kinds of inefficient finance processes. You see exactly the same thing happening with information security. With the primary objective of an organization that is resilient, the CISO also looks at the security landscape from an economic perspective. His handicap, however, is that, unlike the CFO, things often go wrong during the operation. Which is every CISOs Achilles heel.
Although the workfield of the CISO is being taken more and more seriously, many CEOs still wonder: should we spend so much money on security? Can’t we do that in a smarter way? Well, you can! We know from experience that an average company has about seventy security tools. Definitely overkill, because a company doesn’t need that many tools at all. So why are they still being purchased? That’s because the CIO, usually the boss of the CISO who keeps the budget, can’t afford an accident and lacks the knowledge to ask critical questions about the investment. Unfortunately, half of those tools are not used in practice and collecting dust on the shelf. Also situations in which a tool that costs two hundred thousand Euro, with high maintenance and implementation costs, that don’t have more than two users are certainly no exception.
The most professional CISO therefore stands next to the CIO, thinks critically about investment decisions and works on rationalization of the information landscape. Such a person has a staff, budget, mandate and power. Unfortunately, that type of CISO in the financial sector can be counted on the fingers of one hand. Most CISOs may have that ambition, but remain stuck in the day-to-day issues and operate mainly reactively. That way, of course, you don’t end up at the CEO’s table as a serious discussion partner. Also, shouting like a kind of police officer that security is not in order is not the way to achieve that. After a while, such a CISO is dismissed as a whiner in the organization. You achieve and stay with the CEO by adding value by contributing to the development of new revenue models. That type of CISO must also be able to make the financial translation. Such a person is able to demonstrate the effectiveness of security very hard by making it measurable.
What’s positive for the CISO is that a new generation of leaders is taking office. The biggest misunderstanding about innovation is not the IT legacy, but the cultural legacy. The average boardroom in the Netherlands is still mainly populated by the older generation with a background in finance and legal. Who often only activate the hard assets and often have less of an eye for intangible assets like data. They are often trained with the traditional principles of corporate governance and above all do not want to take risks. And IT is of course a – new – risk. Investments in IT innovation were regularly dismissed in the boardroom in the past with the argument that the regulator (for example the Dutch National Bank – DNB) would never approve of it. A real clincher. In fact, only the cultural legacy stands in the way of a definitive breakthrough for the CISO.
This article was also published in EYs “Eye on Finance” magazine