PODCAST: Will 2018 be the year of the CISO?

By Byron V. Acohido

Could we be entering the Golden Age of CISOs, chief information security officers? Perhaps.

CISOs at some big financial services firms have begun elbowing their way into the C-suite’s upper most tier, reporting to the board of directors and/or the CEO and/or the audit committee, John Dickson, principal at Denim Group, told me in a lively discussion we had at Black Hat 2017 in Las Vegas.

Related article: Implications of the Deloitte breach

Dickson spends much of his time advising clients how to build software applications that are as secure as they ought to be. To do this well, he must immerse himself in the rising trends and myriad nuances continually shaping and reshaping the cybersecurity landscape.

Acohido and Dickson

We talked about how, in many organizations, the CISO post still doesn’t exist, or if it does, the CISO tends to be a technocrat, reporting to a CIO, a couple rungs down the power ladder, and thus possessing a muted voice, when it comes to influencing how an organization prioritizes data security.

Plates colliding

Yet in 2017, a couple of tectonic plates have collided. We could be on the verge of seeing the stature of CISOs elevated across the board. For one thing, it has been a banner year for high-profile breaches. Consider that as Equifax reeled from its astounding breach disclosure in early fall, the U.S. Security and Exchange Commission, big four accounting firm Deloitte and fast food chain Sonic also admitted to catastrophic data losses. And then to cap it off, Yahoo confessed that hackers actually pilfered data for all 3 billion of its users in 2013.

Those high-profile data breach disclosures came on the heels of New York state’s trailblazing cybersecurity rules for financial services, which took effect last March. And Colorado recently became the latest state to impose data handling rules on certain businesses. In the wake of the Equifax breach, more states are likely to follow. Meanwhile, across the pond in Europe, the EU is preparing next year to roll out its revise General Data Protection Regulation, carrying stiffer data privacy rules that generally elevate consumers’ rights, and impose steep penalties for violators.

Hard core rationale

“What this means is that now the CISO has more hard core business rationale for spending,” Dickson opined. “In the good old days CISOs would say, ‘We have to do this or we might get hacked.’ It was it was an abstract threat and risk that, candidly, most execs had a hard time quantifying.

Savvy CISOs should view the specter of rising regulation, combined with the steady drumbeat of high-profile breach disclosures, as a godsend. It’s a chance to articulate why their company must embrace efficacious data security policies and employee training. And it’s a chance to delve into the well-spring of security innovations, readily on display at conferences like RSA and Black Hat, and methodically sift the wheat from the chaff.

Dickson and I had a lively discussion about how corporate behaviors — for large enterprises and for SMBs, as well —  are likely to shift in response to these developments. For a drill down, please listen to the accompanying podcast.

(Editor’s note: Last Watchdog has supplied consulting services to Denim Group.)




Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone