Today’s threat landscape calls for CISOs who can translate security and risk insights into consumable, relatable language

Today’s threat landscape calls for CISOs who can translate security and risk insights into consumable, relatable language. If we don’t, our influence will shrink, and our organizations will suffer.

Jamil Farshchi is the Chief Information Security Officer for Equifax in the United States. He joined the company shortly after one of the most consequential data breaches in history and was responsible for a complete overhaul of Equifax’s security and technology capabilities. Previously he worked as CISO at Time Warner, among other roles in the field of cybersecurity. Currently he is on the Board of Directors for the National Technology Security Coalition as well as the Institute for Information Security and Privacy at Georgia Tech.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Jamil. In this interview, Samir has been discussing with him, amongst other things, on what businesses should do to prepare effectively to respond to and recover from potential cyber-attacks.

Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

Today’s threat landscape calls for CISOs who can translate security and risk insights into consumable, relatable language. If we don’t, our influence will shrink, and our organizations will suffer. To do this well, we must view a business through the lens of the stakeholders we’re communicating with. We should empathize and contextualize.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

If the CISO has the right level of visibility, support and resources, the role can be successful in virtually any organisational structure. That said, where the CISO reports is a proxy for the importance a company places on security. And when was the last time a business prioritised, invested and gave airtime to a function that it didn’t deem important?

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

Culture. Culture. Culture. The best security team will be rendered mediocre if they’re faced with a poor culture. On the other hand, even a mediocre security team can be wildly successful when working within a great culture. The only way any company can achieve real cyber resilience is if the whole company — from the board to the interns — embraces the notion that security is everyone’s responsibility… and that there’s no finish line.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

Behaviours always break barriers. Users need to get their jobs done, and the more cumbersome our controls, the more likely the workforce is to try to get around them. Good usability is the key to success. And the best trend that rarely gets attention is how security vendors are beginning to take UX seriously. Security needs to be easy to implement, and UX is a core component in achieving that

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

Find passionate people and challenge them. Doesn’t really matter their background — the good ones will learn whatever’s needed. Then challenge them again… and again. You’ll be surprised at how much they accomplish, how much they learn and grow, and how infectious their behaviours will be for the rest of the team.