Welcome to Prove It – a round table approach to the Acceleration Economy in which our Analyst Network discusses, debates and defines pressing topics. John Siefert, CEO and Co-Founder of the Acceleration Economy Network kicks off the first episode focusing on the role of the Chief Information Security Officer (CISO). Analysts Bob Evans, Wayne Sadin, and Chris Hughes weigh in sharing their experience and expertise on the subject.
00:09 – John introduces the first topic of Prove It to spark a conversation on the role of the Chief Information Security Officer as well as where this position should report.
Meet the Analysts
00:50 – Bob Evans is the Founder of Cloud Wars and Co-Found of the Acceleration Economy. He is also a Cloud and Digital Business Analyst.
01:06 – Wayne Sadin has been a CIO, CTO, and CDO for 30 years. Additionally, he is a Lead Advisor and Board Member, advising others on how to use technology better. He is a Board Strategy Analyst.
01:23 – Chris Hughes is the Co-Founder of Aquia as well as a Cyber Security Analyst. Chris brings 20 years of IT and Cybersecurity experience to the table.
Where Should the CISO Report?
01:38 – John proposes the question “Where should the CISO report?” Chris shares insights, explaining how it is dependent on the organization and the industry. Furthermore, he suggests reasoning behind reporting to the Chief Risk Officer or Chief Security Officer, as it’s essentially a subset of these roles.
2:51 – Wayne chimes in on the importance of CISOs reporting to the board of their organization. In addition, he considers the conflict that could arise from reporting to the CEO.
5:44 – Bob emphasizes Chris and Wayne’s points about the organizational structure being a determining factor. However, he further elaborates on how it is also dependent on the future needs and direction of your company of what would result in acceleration to success.
6:43 – Does your organization have a traditional structure? Is reporting to the CSO an option? What are your organization’s priorities?
7:30 – Data integrity, security, and regulatory compliance are all non-negotiable concepts. However, when business transformation and optimization occur, we have to start considering ways to incorporate cybersecurity in from the beginning.
8:42 – If there are competing priorities, who would be the third-party decision-maker to handle those scenarios? What would the qualifications be for that decision-maker?
9:51 – “It has to start with the board taking interest in security as one of the business enablers, not as an impediment to be removed as a business enabler.” If you can express in business terms what risks you’re protecting, the business can understand and accept them. Then, it’s clearer what the business opportunity is and how it’s secure.
Industry Cloud Battleground Week
10:42 – On November 15th to 19th, join us for Industry Cloud Battleground Week. More information and registration for this 5-day digital event are available here.
Internet of Things and Risk Management
11:22 – The Internet of Things has contributed to the increase of potential risks. While IoT is an incredible new development, it also opens more opportunities for additional risks. Although it’s helpful to have this tool to put data in the hands of employees, it’s essential to evaluate these business imperatives in a secure way.
12:15 – As an enabler, it’s imperative for the CISO to be able to communicate the value of security measures as well as how it occurs.
13:05 – A large percentage of business operations is risk management. Wayne defines risks as something that businesses are presented with that you must spend money on to overcome or just accept. As the CISO’s main focus is on security, it’s a collective effort to determine solutions that keep the business solvent in the short term and growing in the long term.
Looking Back & Moving Forward
15:08 – Referring to a previous conversation, Bob talks about insights from a CFO about trends where companies are elevating CFOs higher up. So, they’re assuming the roles of what is traditionally for the COO. As the CFO’s role changes, so will the role of other positions, including the CISO.
16:04 – Leaders cannot be looking back and expect to move forward. They have to be looking forward to where they’re going with the company and their strategy while considering the shifts in the marketplace.
16:43 – The analysts discuss how changing organizational structure causes disruption among businesses. Security is everyone’s job.
17:05 – Revenue is an area that organizations need to think about. A major factor in companies getting selected as vendors is how the company can execute its technology. Wayne shares an old phrase, “Information about money is as valuable as money itself.” Think about the enablers of your products that make you more valuable.
Final Thoughts on the CISO
18:15 – Ultimately, who the CISO reports to truly depends on the organizational structure. Chris drives the point that security is not the business, but an enabler in making the business successful and secure.
19:02 – As an organization, from the board down, it’s important to be talking about how the risks the company faces, how to mitigate the risks, and the opportunities that mitigation allows you to seize. Wayne says that while the CISO needs to be part of that conversation, the CEO, the board, and every decision-maker within the company also need to be involved.
20:04 – Bob shares a perspective that the CISO will present a 3-year plan to the CEO and board. Then, by proposing this plan, they would not need a CISO anymore.
20:42 – John concludes that although we are in challenging times, we are surrounded by opportunities for growth.