The value of the Chief Information Security officer has never been more evident, but is the role well defined and structured enough?
Banks have witnessed a spate of cyber breaches recently with the financial sector experiencing 300 percent more cyberattacks than any other industry. More than 75 cyberattacks against financial services companies were reported in first nine months of 2016.
A string of regulations requiring banks to adopt a more open architecture will further expose them to heightened cybersecurity risks, and the rapid pace of digitization in banking will only add to it.
However, the banking industry is yet to see an increased responsibility in the role of a Chief Information Security officer (CISO). A study by Gartner showed that only 20 percent of CISOs report to the CEO with ~60 percent of them reporting to the Chief Information Officer (CIO) or an IT executive. With the growing importance of security in an organisation, this current reporting structure might need to change more to favour CISOs reporting directly to the CEO.
Fig 1. Majority of CISOs report to the CIO
CISOs need to have impartiality when it comes to budget and ability to influence the CEO
There have been instances of uneven allocation of the IT budget for spend on cybersecurity, resulting in CISOs getting a smaller piece of the pie. Studies have shown that information security takes only a tiny three to five percent of the overall IT budget.
UK banks have seen some traction here: Barclays has merged its two security functions, with previous Chief Security Officer (CSO) and CISO roles coming together under a combined CSO. Lloyds has set up a cybersecurity advisory panel to bring an industry perspective on key cyber-related activities and threats. The panel is part of a subcommittee to the Board Risk Committee (BRC) and the Chief Risk Officer regularly informs the BRC of the aggregate risk profile of the bank.
Decouple the CISO from IT?
Having the CISO report outside of the IT leadership could have several advantages:
- Direct oversight from the CEO and business leadership could ensure key security considerations are addressed in business strategy and associated investments.
- Reporting outside of the CIO puts the CISO and CIO on more equal footing.
- It could help organisations attract more experienced security executives who might expect to report directly to the CEO, not a CIO.
IDC believes that by 2018, increases in cybersecurity threats could result in 75 percent of CSOs and CISOs reporting to the CEO. Some regulators are even making it mandatory: In Israel, there are laws dictating that CISOs report directly to the CEO. UK banks should take a cue and become the financial services gold standard in cybersecurity governance.
Banks need to reconsider the CISO role for greater cybersecurity effectiveness
The primary goal of the CISO is not to protect technology but to protect the business. Though the position has risen in the organisational structure to the inner circles of the C-suite, a CISO’s ability to dictate a budget and make decisions independently may still depend on where the position falls in the organisational structure. Further, the role of cybersecurity experts has become increasingly important on the board, which has translated to higher salaries and attrition as well. Empowering CISOs might help mitigate this, through increasing representation on the board, direct reporting to the CEO, independent budget allocation and a role in strategy formulation.