Cybersecurity cannot manifest itself as a roadblock to business. It needs to be a business enabler, helping companies increase efficiency, streamline operations, and ideally improve their bottom line. However, this is easier said than done, and with cybersecurity being a 24/7 challenge, recruiting and retaining staff can be a problem.
Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Dimitri van Zantvliet, Cybersecurity Director / CISO at Dutch Railways. In this interview, Dimitri has been discussing how he views problems in the field of cybersecurity, such as talent shortage and staff retention, as well as the pros and cons of WFH from a CISO’s perspective. Read the full interview below.
Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?
Measuring the impact of a CISO’s role on the top and bottom line may not provide a complete picture of their value to the organization. There are several other ways that an organization can measure the value of a CISO such as:
Risk reduction: The primary goal of a CISO is to reduce the organization’s cybersecurity risks. Measuring the reduction in security incidents or breaches over time can be a useful metric to gauge the effectiveness of the CISO’s strategies and initiatives.
Compliance: Compliance with various regulations and standards is critical for organizations. The CISO’s role in ensuring that the organization is meeting these requirements can be measured by the number of audits passed, compliance scores, and regulatory fines avoided.
Incident response: Cybersecurity incidents are inevitable, and the CISO’s role in mitigating the impact of these incidents can be measured by the speed and effectiveness of their response. Metrics such as mean time to detect and mean time to respond can be used to evaluate the CISO’s incident response capabilities.
Business enablement: The CISO’s role is not only to protect the organization from cybersecurity risks but also to enable the business to operate securely. Measuring the CISO’s ability to enable the business while maintaining a strong security posture can be done through employee training and awareness, security assessments for new business initiatives, and security performance metrics for business units.
Executive buy-in: The CISO’s role requires support from other senior executives to effectively implement cybersecurity measures. Measuring the level of executive buy-in and support for the CISO’s initiatives can be a useful metric for evaluating their value to the organization.
In summary, the value of a CISO can be measured by a combination of metrics that evaluate risk reduction, compliance, incident response, business enablement, and executive buy-in.
The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?
I believe having a seat on the board is uncommon and many times unnecessary. Having a position directly under it, however, can be a valuable asset for a CISO, as it demonstrates the importance of cybersecurity to the organization and provides a direct line of communication to the board. It can also help to ensure that cybersecurity is integrated into the organization’s overall strategy and decision-making processes.
So, it is not always necessary for a CISO to have a seat on the board to be effective. What is more important is that the CISO has direct access to senior leadership and is able to effectively communicate the importance of cybersecurity to the organization.
In terms of reporting structure, it is important that the CISO reports to a board member who understands the importance of cybersecurity and is committed to providing the necessary resources and support to the CISO. Ideally, the CISO should report to a C-level executive such as the CEO, CFO, or COO, who can help to prioritize cybersecurity initiatives and ensure that the CISO has the necessary authority and budget to carry out their responsibilities.
Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?
I believe that the CISO’s role is evolving to become more strategic, collaborative, and business oriented. While technical expertise is still critical, it is no longer enough to protect against the evolving threat landscape. Our primary role is to enable the business we work for.
CISOs must be able to understand and articulate the risks and impacts of cyber threats to business leaders, while also collaborating with other departments such as legal, compliance, and risk management to implement effective cybersecurity measures. The CISO should work closely with other business units to ensure that cybersecurity is integrated into all aspects of the organization’s operations.
Additionally, the CISO should stay up to date with the latest trends and developments in the threat landscape, as well as emerging technologies and security solutions. They should also prioritize continuous learning and development to keep their skills and knowledge current
While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?
Yes, there are often competing priorities and differing opinions on the best approach to managing cyber risks.
One of the main challenges is balancing the need for security with the need for business agility and innovation. Business leaders may prioritize speed and agility over security, which can create vulnerabilities that cybercriminals can exploit. The challenge for the CISO is to find a balance that enables the organization to operate securely while still meeting business objectives.
Another challenge is communicating the risks and impacts of cyber threats in a way that resonates with business leaders. Cybersecurity can be a complex and technical subject, and it can be difficult to convey the potential impact of a cyber incident in business terms. The CISO must be able to clearly articulate the risks and impacts of cyber threats and the potential consequences of not addressing them.
Also, there may be disagreements about the level of investment required to address cyber risks. Cybersecurity is a long-term investment, and the benefits may not be immediately visible. It can be difficult to convince business leaders to invest in cybersecurity when they may not see immediate returns.
So, one needs experience, diplomacy and an entrepreneurial mindset to push the cyber agenda forward.
Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?
It seems that there are shortages in every talent pool nowadays, but cybersecurity is topping the ranks indeed. We must be extremely creative (add that to the CISO skillset too ;-). Some ideas:
Develop partnerships with educational institutions: CISOs can partner with universities, community colleges, and vocational schools to identify and recruit talent. This can involve sponsoring internships, participating in career fairs, and collaborating with professors to develop cybersecurity curricula that meet the needs of the organization. Me and my cyber colleagues frequently deliver guest lectures at universities for that reason.
Create a strong employer brand: CISOs can develop a strong employer brand by promoting the organization’s commitment to cybersecurity, investing in employee development and training, and offering competitive compensation and benefits packages. This can help to attract top talent and retain existing employees. I personally spend quite some time on social media for this sole purpose and believe me, it really helps.
Invest in employee development and training: CISOs can invest in employee development and training to retain and develop talent. This can involve offering opportunities for career growth and advancement, providing ongoing training and development, and creating mentorship and coaching programs. We recently hired three people from within our organization that have a totally different background. One came in as a train driver with cyber-skills, one as a cyber savvy safety guard and the last one as an internal IT auditor. We will give them guidance and education and our fullest support.
According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?
The shift to remote work during the COVID-19 pandemic has led to many cybersecurity professionals preferring to work from home which was also horrible for our business “providing mobility from door to door”. While WFH can offer benefits such as increased flexibility, improved work-life balance, and reduced commuting time, it can also present challenges for us CISOs.
Blessing:
Increased flexibility: WFH can offer increased flexibility to cybersecurity professionals, allowing them to better balance their work and personal commitments. This can lead to improved productivity and job satisfaction.
Access to a wider talent pool: WFH allows organizations to recruit talent from a wider geographical area, which can lead to a more diverse workforce and access to specialized skills.
Reduced infrastructure costs: With more employees working from home, organizations can reduce their infrastructure costs, such as office space and utilities.
Curse:
Increased cybersecurity risks: WFH can increase cybersecurity risks, as employees may be working on unsecured networks or using personal devices that are not properly secured. This can make it easier for cybercriminals to infiltrate the organization’s network.
Communication challenges: WFH can lead to communication challenges, as cybersecurity professionals may not have the same level of face-to-face interaction with their colleagues and may rely more heavily on email and messaging platforms. This can lead to misunderstandings and miscommunications.
Reduced collaboration: WFH can reduce collaboration and knowledge sharing, as cybersecurity professionals may not have the same level of interaction with their colleagues. This can lead to silos and reduce the effectiveness of the cybersecurity team.
Personally, I find it rather confusing sometimes to find the right balance still. Work from the office while having teams’ meetings as well is a drama. Finding a quiet room and running from floor 1 to 18 without time in between is something I have not mastered yet. I am sure we all will find a way to make this as efficient and well balanced too. We just have to give it some time.
Thank you Dimitri for taking the time to answer my questions and for sharing those great insights. We are all looking forward to your talk at the Global Cyber Conference and learning so much more in the panel session.
Please also check out the interviews with our other speakers who will be in attendance at this year’s Global Cyber Conference, which you will find here.