Fighting the War on Cyber Crime Starts in the Boardroom

Matt Fearin, CISO, Epsilon

Matt Fearin, CISO, Epsilon, Matt Fearin is Chief Information Security Officer (CISO) of Epsilon, with enterprise-wide responsibility for information security and compliance, incl... More >>

In today’s digital world, data security is more important than ever. Cyber attacks are all too common and no company is immune. It’s estimated that in 2016 alone, over 200 million data records have been breached from both consumer-facing and B2B companies. And that’s just what has been detected and reported. It’s an absolute certainty there will be more, yet most organizations don’t have the correct structure, or, more importantly senior level involvement and support, to properly address data security and information privacy threats.

How can companies get in front of data security issues, both to prevent them from happening, and to mitigate the unpleasant experience if (or, more likely,when) it happens? Perhaps I’m biased, but I believe that it starts with hiring and empowering an experienced Chief Information Security Officer who is part of the leadership team. The top priority of a Chief Information Security Officer (CISO) is keeping data and technology safe in a digital world, understanding the potential issues and leading best practices throughout the company. A relatively newer member of the traditional C-Suite, companies previously relegated the responsibility of data security to the Chief Technology Officer (CTO) or Chief Information Officer (CIO). Now, businesses are elevating and prioritizing the security function, making CISOs peers of the CTO and CIO, in order to provide the focus and specialization needed. Security issues are now part of daily life for all C-level business executives, with cyber security events often cited as the top business risk that needs to be managed.

Ensuring a company is properly handling and protecting data is a full time job, one that impacts every level of the organization–from brand reputation to client services and legal to technology teams. Think about it. A huge data issue creates upset customers, loss of information and PR nightmares, not to mention it challenges relationships with any existing external partners. For this reason, a CISO must be able to communicate and effectively deliver solutions across the entire company, ensuring all parties feel confident that they are implementing best-in-class security and have a comprehensive security response plan in place.

A huge data issue creates upset customers, loss of information and PR nightmares, not to mention it challenges relationships with any existing external partners

Below are my tips for successfully creating allies across the C-Suite:

Develop Strong Relationships with ENTIRE C-Suite.

CISOs can’t be successful without the backing and trust of the full C-Suite. Security elements should be part of every business, marketing, technology and legal plan. Additionally, CISOs must have line of sight into the broader business goals and input into strategic objectives that have technical implications. Having strong relationships in place at the top of the organization will assist with addressing security issues effectively and efficiently. Nothing stops a security initiative faster than questions concerning its relevance, funding or value – the importance of data and information security should be embedded across the organization.

Sell in the Benefit and Importance of Data Security BEFORE Something Happens.

Clearly, articulating possible or imminent data security risks on a frequent basis enables the ability to quickly respond to shifting threats. Technology alone will not address cyber security risks, there needs to be a strategic plan. Getting out in front of issues early and participating as someone helping the business to DO something, rather than to STOP something, is paramount for success.

Foster an Environment of Transparency.

Balancing requirements and strategy throughout the C-Suite requires the CISO to be highly transparent about risks, security capabilities and the ability to mitigate issues. Products and solutions should be evaluated openly and collaboratively. Additionally, the security organization carries its own risk and, as such, security’s capabilities, effectiveness and efficiencies should be reviewed, considered and ranked for complete transparency. Keeping everything behind the curtain will lead to failure over time. It’s important to inform the business, share any problems and work together to solve them.

Set Expectations.

In a previous role, I was once asked to eliminate all security risks associated with user access to a large suite of applications involving highly sensitive data. My response was that I could do it by removing all access.This was met with “that’s not realistic.” Well, neither is eliminating all security risks. As CISOs, we need to change the conversation about how we manage risk, through active engagement and recurring monitoring by all stakeholders.CISOs should be empowered to focuslesson compliance and more on executing a risk aware, risk-based approach throughout the organization. This will ultimately improve the ability to respond to security threats.

Listen to the Business Leaders.

CISOs need to go beyond just hearing what the business is going to do and what they’re trying to secure. It’s about using security to aid leaders in the creation of strategy, removal of hurdles and preparation for what the business will need to do, versus just reacting to what is being requested. By establishing recurring reviews of risk and security posture and truly listening to the business problems that need to be solved, CISOs can elevate the thought process and clear the path for the business to execute freely on innovation.

Evolve with the CIO.

Arguably the most important relationship for the CISO to foster in the boardroom is one with the Chief Information Officer (CIO). These two roles are evolving as informational strategy, security requirements and reporting needs change, and to be successful they need to work together. For example, the CIO is no longer simply a technology leadership role. Instead, it’s beset with demands for digital services that revolutionize the corporate model. CIOs need to drive revenue, customer engagement and innovation while working within strict cash limitations—a complex balancing act. Making the CISO independent of the CIO provides a higher level of objectivity and independence that should prove beneficial to the entire organization.

Businesses face tremendous risks in today’s highly digital, technology-driven economy. The more equipped and collaborative we are in our approach to cybersecurity, the more successful we will all be.