The CISO has always been responsible for developing and executing an organisation’s information security program and cybersecurity policy. This includes overseeing procedures that prevent internal and external threats. Is the board still convinced of the CISO’s importance within the C-Suite?
In this roundtable debate, the speakers discuss the role of the CISO and the balance of power between the CISO and the board.
With Juliette Foster moderating, the speakers of this roundtable include:
- Mark Guntrip, Sr Director, Cybersecurity Strategy, Menlo Security
- Ronald Martey, CISO, GCB Bank PLC
- Krishnamurthy Rajesh, Director – Information Technology (Global), GreyOrange
- Adnan Ahmed, Head of ICT and CISO, Ornua Co-operative Limited
Functions, cybersecurity policy and the board
Moderator Juliette Foster started the debate by asking the speakers about the relationship between the security function and the board. “Do you think it has done enough to convince the board of its continued importance and therefore funding?”, she said.
Security is in a much better place than before according to Menlo Security’s Sr Director of Cybersecurity Strategy, Mark Guntrip. In his current role, Mark oversees the organisation’s cybersecurity policy and operations. He described how the technical and business side of things started to merge together at one point. “As they talk to each other the board actually starts to understand what security does and the security function starts to understand what the board is looking for”, he stated.
In response to Juliette’s remark that the security function is now more integrated with the C-Suite, Ronald Martey, CISO at GCB Bank, agreed. He started off by stating: “We’re in a good place now”. Ronald believes that the security function is receiving more support from the board as the regulations put in place are “improving the maturity of the organisations”.
Cybersecurity policy and responsibility
The policies and regulations imposed by the board are considered more of an enabler for the business nowadays. This is what Krishnamurthy Rajesh, Director of Information Technology at GreyOrange, believes. “One thing protecting us from disaster is regulations”, he said. While cybersecurity has been seen as an individual responsibility, Krishnamurthy believes everyone needs to come together in a collaborative way. He is under the impression that this will increase productivity and ensure a better future for the business.
The idea that security is everyone’s responsibility, not just the CISO’s, is one that Adnan also entertains. Head of ICT and CISO at Ornua, Adnan Ahmed, spoke about a series of security breaches in Ireland. “Last year we had a big breach with the health services authority”, he said. This in turn opened up the conversation of sharing responsibility.
Asking the board for money
Juliette picked up on a point Adnan made about the board taking interest in security and the CISO’s role. “Is it easier to get money at this stage because they want you to do more – you’re not having to fight”, she asked.
“It’s really the first time that security has stayed close to the top of the priority list”, said Mark. Despite this, he explained that CISOs still have to justify the cost and how they will utilise it. “If you show your worth [and] prove your worth then you’ll get the investments”, he said. Mark later added that if a CISO is unable to prove their worth, that leads to a more “difficult” conversation.
On a different note, Krishnamurthy believes the quantification of risk has become “very easy”. He added that before, IT used to be an isolated entity; but things have now changed. “Now, cybersecurity is not a technology, it is a mindset”, he said.
Who has the power?
Adnan believes that CISOs and CIOs have the power when it comes to the board. Juliette asked the speakers whether they think the real power lies with the C-Suite or CISOs, because they understand the infrastructure. Supporting his answer, Adnan told those on the roundtable that the board expects CISOs to come up with their own strategy and a step by step guide on how they are implementing it. “They gave you the money, now it’s up to us as CISOs to deliver on our promises”.
On the other hand, Ronald and Mark had slightly different answers, using words like “partnership” and “teamwork” in their reasoning. “You have to show the results and they have to be results that everybody understands”, said Mark. He argued that showing them the results would be quicker, easier and more agile. Krishnamurthy stated that CISOs shouldn’t be showing these results. “There is no such thing as showing the results – they should speak for itself”, he said.
This roundtable was recorded at The Studio and made in partnership with Menlo Security. To find out more about The Studio, click here.