The board does need a CISO expert who is in the security business. The CISO can comfortably be a part of a quality/legal/security entity or even in the business itself. The CISO must be part of the value creation. If a business doesn’t see the value of a CISO, why have one?
Reto Weber is the ISMS Officer at Roche Diagnostics International, Switzerland and is responsible for helping to build trust within the organisation by providing materials such as certification for Roche’s digital products, while also providing support in the context of patient-indefinable data.
Samir Aliyev, CEO and Founder of the Swiss Cyber Institute, founder of the Swiss Cyber Institute, has been discussing with Reto about the level of visibility a CISO should have in a company, and how to solve the problem of staff retention.
Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?
The threat landscape is for me not too difficult. The challenge is within the technology as many new terms arise and keeping up with all the providers’ terminology is hard, especially in cloud-agnostic environments.
Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?
How contributions are made to the primary chain. Do they support sales and have total trust in the products and services? This can be done by perception.
The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?
The board does need a CISO expert who is in the security business. The CISO can comfortably be a part of a quality/legal/security entity or even in the business itself. The CISO must be part of the value creation. If a business doesn’t see the value of a CISO, why have one?
What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?
This deepens on their risk appetite and outside commitment. However, I think it does not hurt to run a red team (but not tell anyone) and then test all the processes once a year. Training, training, training. Testing some legacy systems to fail does not hurt.
In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?
What is cyber security? There is no clear definition. Information Security / Privacy are all very clear to me. I think trends are good … provide access to a budget. The challenges lie in that for over 20 years have taught people how to operate systems safely, but still they do not all do it.
On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?
We do not value human input sufficiently. We invest in technology and tools but who invests in humans (I do not mean web-based trainings you click though every year)? Provide everyone with the right information to do their job.
While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?
Show how the value proposition is supported and protected by the CISO.
Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?
Perform a risk assessment for each event rather than blindly follow the hype. Think and act.
Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?
It’s hard to find talent but also hard to find good employers. I think there has to be a balance. Security has so many interesting fields which means it should be an attractive career prospect.
According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?
I think as long as people remain motivated there is no issue at all.
What do you look forward to most at this year’s Global Cyber Conference?
Learning from others.
