In today’s data-driven business world the Chief Information Security Officer (CISO) is no longer “the sole authority” when it comes to cyber risk management within a company.
The CISO’s role has evolved dramatically over the past decade. In the past, the CISO was often a technology-focused employee working in isolation from the organization in a data center. Cyber security was seen as a pure operational technology issue.
Evolving cyber risks and data application have forced enterprises to consider cyber security as more of a strategic technology issue and business-wide problem rather than simply an operational issue. Insurance Business caught up with Matt Palmer, CISO at Willis Towers Watson, to find out more about the ever-evolving role.
“Cyber security is a business issue and a risk issue, as opposed to purely a technology issue,” said Palmer. “There’s a lot of discussion around people being the first line of cyber defense and the first line of failure. The reality is, a company is not made of wires; it’s made of people who service customers. Therefore, cyber security needs to manage the people risk effectively as well as managing technology risk.
“The next phase in the evolution of cyber security is for companies to think about managing more than just bottom-line risk. Security functions often tend to focus on how to control and protect a business as it exists today. They might look forward slightly in terms of technology, but they don’t really look at security as an enabler for the business and an opportunity to drive top line growth.”
Effective cyber security is not easy. Companies are challenged by an evolving cyber risk landscape, tightening regulatory frameworks and heightened media scrutiny. This has transformed security from a back-room task to a front-office and customer-facing function – and it’s customer-facing most at crunch time, aka upon breach, according to Palmer.
“The CISO role has changed from being the primary intel expert and person the company turns to for an authoritative answer on all matters security, to more of a facilitator of the organization as it tries to make the right decisions in terms of security, functionality and customer service,” Palmer told Insurance Business. “Security decisions are no longer solely for the CISO to make, but rather for the organization to make in line with its risk appetite and customer expectations.
“If you were to track back 10 years, cyber security would not have been present in the board room. But with the regulatory environment we have now, organizations have realized you can’t divorce your security approach from your business strategy, thus bringing cyber security to the attention of the C-suite. Of course, the CISO can’t expect senior executives to be technology or security specialists, but they can translate and flag-up cyber security issues and facilitate board making decisions.”
Information and sensitive data are some of the most important and risky assets companies hold. The ownership of that data should be with the person who decides to hold and use it, rather than the CISO, Palmer explained. The CISOs role with regards to data is partly to provide input for commercial decisions around product development, how to support customer data, how to collate or aggregate data, and, most importantly, to advise on the level of data complexity a company is prepared to accept in its supply chain.
“Data is now as valuable an asset as the cash organizations have in the bank,” he added. “The CISO has to understand how the risks change when organizations change the way they process data. Moving forward, the CISO is going to have to help businesses make strategic decisions about whether or not to expose themselves to a particular market or line of business, and perhaps even whether or not to produce particular products. The role is ever-changing.”