CIO, IT director, call it what you will: in any large organisation, they are responsible for managing the systems that support the delivery of its strategy. In some instances, those systems will define the company’s products and ability to serve its customers. And when a cybercriminal targets a business, it is those systems that come under attack.
It might seem, therefore, that the CIO is responsible for cybersecurity. It is, after all, his or her job to deliver a robust systems architecture that runs efficiently and effectively, free from disruption and uncompromised by the actions of undesirables. Not necessarily, says leading global provider of risk solutions Kroll.
“CIOs deliver the systems on which a business runs, which involves implementing both the systems and the procedures that comprise the controls for cybersecurity,” says Andrew Beckett, managing director and EMEA cyber risk practice leader at Kroll. “But the rules should be set by someone else.”
“It may fall to the chief information security officer (CISO), for example, to align those controls with the level of acceptable risk on which the board decides,” he adds. “In that way, the CIO is not marking their own work. They should have a role in the delivery of the controls, but not overall responsibility for cybersecurity strategy. That should be set by someone else who reports to the board, sets the controls and works with the CFO and the CIO.”
Cybersecurity is not entirely a technical issue, but it is a core responsibility of any data-rich or IT-heavy organisation. It is a responsibility that is shouldered by several executives, each carrying part of the burden. The CFO, for example, decides how much risk the organisation is prepared to bear, while the CISO takes on the responsibility for defining the controls that need to be put in place, and the CIO carries the technical load on a budget provided by the CFO and based on the board’s assessment of risk. An effective cybersecurity strategy, therefore, relies on effective communication between all parties. But that is often where the real difficulties lie.
Communication is key
In his work for Kroll, Beckett has been party to the conversations that take place between the technical experts in an organisation and the executives who define corporate strategy and set budgets. It is part of his job to ensure that those conversations are fruitful.
Kroll is a global consultancy that offers a range of services in the cybersecurity space. It can help an organisation – be it a FTSE 100 multinational or an SME – to fully understand cyber risk and define policies, procedures and practices to mitigate it. Kroll can also assist businesses in identifying both technical and non-technical controls, which it can then audit, as well as implementing the required reporting mechanisms, including processes for reporting cyber risk to the board. Above all, Kroll can provide its customers with training on risk and awareness, test the ability of a company to respond to specific cyberthreats and, through its global incident response teams, assist with forensic investigations following a cybersecurity breach.
“We can even undertake malware reverse engineering to understand what the code was after,” Beckett remarks. “Kroll helps organisations learn about the attackers themselves. We have supported businesses in responding to ransomware cases and the exfiltration of data, which has been growing trends in the past year.”
“We can assist with breach notification and, in some instances, deliver restoration services, which might entail cancelling credit cards that have been fraudulently taken out in a person’s name and restoring the victim’s credit rating. No one else delivers that breadth of service with global reach.”
Kroll’s advice is, therefore, focused on technical, tactical and strategic levels. With this holistic view, Beckett and his team are able to see the problems that arise when communication concerning technology, policy and procedures is unclear.
A good example is remote working – something that is familiar to some, but for others has only become a reality in the past few months as a result of Covid-19. For many organisations, working practices have changed, opening up new vulnerabilities. For example, one major technical problem that the CIO may need to address is shadow IT, when copies of data are taken outside a company’s firewall.
A sales team on the road might find the VPN provided by the company to be slow, creating the temptation to keep a version of their data on their laptops, where it is more easily accessible. If a person is engaged in vital research, they may wish to take a copy home to work on outside office hours. These and other instances take data outside an organisation’s IT infrastructure and, as a result, out of corporate control.
“The risks of shadow IT can be huge,” says Beckett. “That has been a major issue during Covid. Corporate data was being accessed on home PCs without enterprise firewalls. There are also questions over how secure home broadband is.
“Since March, we have seen a spike in breaches with rapidly rolled out VPNs, often free versions or older versions that had not been updated,” he continues. “There are some massive vulnerabilities in that situation. They are, essentially, tunnels under the firewall.”
The technical aspect is the responsibility of the CIO’s team. The communication about policy falls to everyone in the boardroom. But does the CFO need to understand the intricacies of VPNs? No, but they should be able to speak to the CIO about potential vulnerabilities and their impact on the company’s risk profile, and then be able to talk about them in a language the board will understand to ensure the right controls are in place.
The CIO, the CFO and the rest of the board also need to be on the same page when it comes to responding to cyberattacks. “The balance of prevention and response is like a game of whack-a-mole,” says Beckett. “We are moving away from building bigger walls to keep the bad guys out. Now, there is more focus on detecting unusual activity. Rapid detection can greatly mitigate the damage done.”
“It is not the breach that kills you, but how you respond,” he adds. “If you look at high-profile cases, the damage comes from the response and the market perception of that response. In this case, everyone has a seat at the table including legal, HR, communications, the CFO, the CIO and the rest of the board.”
Break the language barrier
Kroll, as a risk consultancy, is uniquely placed to guide the CIO, the CFO and all other interested parties through the process of setting controls and communicating policy. Those conversations are not always easy, though.
“CIOs can sometimes be confrontational,” Beckett explains. “They can react as if we are marking their homework, but that is very rarely the case. In most instances, CIOs need help communicating with the rest of the board. This might involve creating a dashboard that the board can understand, so that its members appreciate the steps that the organisation is taking to defend itself against cyberattacks.”
In most instances, however, companies understand the need for the kind of advice Kroll can provide and want to bridge the gap in understanding between all of the teams responsible for cybersecurity. “Sometimes the CIO welcomes us, not least because what we do affects their budget for the next year,” Beckett says. “Kroll acts as an independent auditor for the CIO’s efforts to deploy sufficient cybersecurity measures.
“The balance of prevention and response is like a game of whack-a-mole. We are moving away from building bigger walls to keep the bad guys out. Now, there is more focus on detecting unusual activity. Rapid detection can greatly mitigate the damage done.”
“Other times, the CIO calls us in,” he continues. “They may not have a cybersecurity budget, but they may be aware of the risk and want us to help create an independent report on that risk in order to get that budget. On some occasions we can say that the CIO is doing a great job but needs the right tools and support – in which case, everyone wins.”
Areas of expertise at board level do not need to overlap, but they do need to connect. “The CIO, the CFO and the rest of the board need to communicate in a language that everyone understands,” Beckett concludes. “Often there is still a gap between the technical community and the boardroom. What we need is more tech leaders to do MBAs or other training in order to communicate with the board.”
In cybersecurity, technology plays its part, but communication – internally and externally – is one of the biggest weapons in any company’s arsenal.