Dear CIO, You Must Support The CISO: It's For Your Own Good

Christos Syngelakis, Group CISO, MOTOR OIL [MOH: GA]

Christos Syngelakis, Group CISO, MOTOR OIL [MOH: GA]

Last year everything changed at incredible speed. The resistance to technology has probably been overcome by all generations. And you can see it. Technology transformation is everywhere changing exponentially how we are doing business in every sector. I’m not going to speak about the minority of regulated businesses with roles and responsibilities. I will speak about the majority of them which now understand that IT is everywhere and more and more IT directors are transforming into CIOs, taking their seat at the C-level table as stakeholders realize their strategic role and necessity in business strategy.

Now more and more of you are at the right level and share your knowledge with other C-level managers planning your business roadmap. You, CIOs, should share the vision to accelerate business via technology usage. But most of the time there is someone’s opinion missing over there. Most business stakeholders have the wrong feeling that IT is a bundle of knowledge and processes. In this bag they throw everything that is related to technology, assuming that someone from this “world” can manage all related topics. But IT is a science with different angles. And in this business world, there must be someone who can lead a strategy and a program for information security risks.

"Cios SHOULD SHARE THE VISION TO ACCELERATE BUSINESS VIA TECHNOLOGY USAGE"

Information security (IS) must act as a lever to achieve results. If business plans are not clear or are communicated late then the IS ends up trying to create a safe environment without clear goals. Usually, it ends up acting as an obstacle to the corporate effort. Seeing these blocking activities, the company, which cannot understand the reason, isolates the IS even more entering a spiral of inefficiency and devaluation from which, unfortunately, we suddenly wake up because of a negative event that brings the problem to the surface.

Information security is something separate from the IT operations. First of all, it is a culture. It must come from the business and return to the business being solidly blended with its strategy, performing actions to help achieve its objectives in the most proper way because most of the time doing things right, in the end, saves you money and time. But it must be understood that sometimes things are going to be implemented in the short or wrong way because business means risk. And business always takes risks. But these risks must be taken with the knowledge of existence and proper acknowledgement. Not by mistake.

Because, everyone is in a hurry to perform more before the others, to be more agile, to use more cloud, to outsource more, to get more from this magic new environment. Business sees IT security as the necessary evil. The brake that stops movement. Formula 1 teams invest huge amounts in brake technology in order to run faster. You should help businesses to understand it. And help the security person responsible to transform from the department of “No” into a CISO. If in your environment, such a person reports to you, then send him away from your structure. If he does not exist, ask for one.

A CISO needs many qualifications and a wide range of abilities to be effective in the business environment. And there is a wide area of responsibilities. Security strategy, risk assessment and management, choosing and implementing ISMS framework, vendor-related assessments are only a number of activities that must be performed. He should be able to talk to other managers in the project planning phase and not during or, in the worst case, after the implementation. It’s what can minimize some unrealized risks that you have forgotten, based on the business needs to “do it now”. This way someone, or a steering committee, will take the decision about the next steps. This should be the proper way to take decisions that mean risk.

It’s a big discussion if the CISO needs a chair at the table of the directors. But he definitely needs a structural communication channel in order to take the right inputs about business objectives and roadmap. And via this channel, he can give feedback on potential problems that he can see. His role is extended out of the pure IT environment. Information management is not related only with IT procedures and projects. Risk comes with outsourcers and vendors. And someone must lead the establishment off an incident response plan in order to be prepared if controls fail and an incident arises. If your environment is using operational technology (OT), the security manager’s help is more than necessary. OT most times is out of the radar of the IT person responsible and OT engineers build a fence keeping CIOs out of this environment. But the risk of OT closely or remotely managing industrial environments is huge and most of the time not weighted.

Dear CIO. For your business and for your own good. If in your environment there is no structural IT & OT security role, expose this problem. If they exist, give them a hand and help them to be accepted by the other managers, helping them build a proper and trusted communication channel.

Agile