On February 16 2017, the New York Department of Financial Services released final cybersecurity regulations that will be codified under 23 N.Y.C.R.R. Part 500 (the ‘Final Rule’). This Final Rule is believed to be the first effort of its kind to formally regulate cybersecurity within the U.S financial services industry. The Final Rule became effective on March 1, with the majority of firms affected having to comply with most of the requirements by August 28 2017.
Whilst there is currently no appetite from HM Treasury, the Bank of England, or the Financial Conduct Authority to mandate cybersecurity into their regulations, all three bodies are working together to promote good cyber practices within the financial sector. The FCA has recently launched a cybersecurity questionnaire that probes whether firms are considering the cyber issue, and at what level of maturity they are at. In addition, the incoming EU General Data Protection Regulation (GDPR), effective from May 25 2018, can levy fines of up to €20 million or 4% of annual worldwide turnover – significantly more than the maximum of £500,000 that can currently be imposed by the Information Commissioner’s Office.
One interesting aspect of the Final Rule is the mandated appointment of a Chief Information Security Officer (CISO), who will be responsible for implementing the (mandated) cybersecurity programme. CISO’s will consequently be in charge of enforcing new and existing cybersecurity policies, drafting a biannual report detailing the integrity of the information systems and cybersecurity program, and summarising any security breaches and attempts that occurred.
Clearly the role of the CISO is becoming increasingly important to financial services firms. With U.S firms currently looking to fill roles as quickly as possible, it’s noteworthy that the FCA questionnaire, whilst not asking specifically for the identification of a CISO, does ask whether a firm has appointed a senior executive who is responsible and accountable for cyber resilience within the organisation, and to name that individual.
No financial services company can afford to overlook the daily threats to its data posed by hackers and cyber criminals. Even a business’ greatest asset – its people – can expose, lose, corrupt or render vital data inaccessible, whether intentionally or not. With regulation compounding the impact of data loss, along with the accompanying reputational damage, it’s time to bring security out of the IT Department and into the board room.
So, if you’ve decided you need someone to manage these risks for you. How do you go about selecting a really good CISO?
The traditional route to becoming a CISO is very similar to that of a CTO – namely building up experience through technical roles in IT departments. Many of the CISOs around today are highly experienced in the world of IT and technical security. They have numerous IT security accreditations, have good contacts with a variety of security vendors and could, if asked, still roll-up their sleeves and start analysing the logs from a firewall. However, in today’s environment they need to have a much more rounded set of skills that focus more on business than technology.
There are a number of traits you need to look for in a modern CISO, whether you’re seeking someone for a full-time role or an interim period:
- Engagement A CISO needs to be able to explain cybersecurity concepts to a wide range of people in a language they understand. They need the ability to influence and deliver business change, as many cyber threats can be mitigated against by having an effective security awareness programme. More than anything, your CISO needs to be able to inform you of your risk landscape in a clear and concise manner.
- Business acumen Your CSIO needs to understand how you operate, what your risk appetite is, and what special conditions you work under – especially if these are regulatory. ‘One size fits all’ is not an appropriate approach for cybersecurity, especially within the financial sector, since what one business might consider far too risky, might be absolutely essential in another. Your CISO needs to understand where certain levels of risk are an acceptable facet of operating as a business.
- Understand risk I’ll let you into a cybersecurity secret – despite the hype, buzzwords, acronyms and expensive technology, all cybersecurity really comes down to is risk management. Your CISO needs to be able to understand risk, how it applies to your organisation, and how to mitigate against it. It’s one of the reasons many of the new breed of CISO come from non-IT backgrounds, with experience in operations where the management of risk is more established.
- Broad shoulders In many ways the role of the CISO is a thankless one. A CISO will likely only be in the spotlight if there is a problem, and will be having many sleepless nights worrying about the latest threats. You need to find someone who can cope with the demands of the role and, equally as important, recognise that the value they add to your business is in many respects invisible. Their job is to keep your company name out of the media.
- Big picture This is where many traditional CISOs underperform. Yes, a large part of the role is IT-focused, but the scope is much wider. Physical security, education and awareness programmes, social engineering and effective governance are just as important to an overall security culture as technical controls.
- Leadership Your CISO needs to bring the entire organisation – from the Board to the cleaners, and even your suppliers – along the journey to a secure organisation. They have to be personable and approachable to all levels, and have an elevated public profile within the business. The role is not one of a controlling puppet master, but rather a crafter of culture.
You need to find a CISO you’re comfortable with, who can impart their technical knowledge into business language. I’m a firm believer that a good CISO should be able to explain cybersecurity concepts into plain English in four sentences. The people beneath the CISO need to have the in-depth understanding, whereas the CISO needs to deal with the overall landscape.
Even if your firm doesn’t have the requirement for a full time CISO, there are new options becoming available, such as ‘CISO-as-a-Service’. These flexible, pay-as-you-go services enable financial businesses to benefit from the skills and experience of these elusive individuals without the staff overhead or usual Capex investment.
I foresee there will be much demand for services such as these as financial organisations of all sizes start to get to grips with escalating regulatory and cyber security challenges that will become an increasing part of daily business life moving forwards.