The TalkTalk data breach in 2015 was monumental for the cyber security industry. At the time, data breaches were hardly new, but this particular breach resulted in UK MPs recommending that an officer should be appointed with day-to-day responsibility for protecting computer systems from cyber attack.
This governmental guidance was not a consequence of the size of the breach. With the personal details of 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers, it certainly was not the largest the industry had seen. Rather, the guidance resulted from the way in which the immediate situation and the following aftermath, were handled.
In most organisations, the responsibility of following this guidance has historically fallen to the Chief Information Security Officer (CISO), with support from the CEO. In the wake of the TalkTalk data breach in particular, the CISO was given ‘free rein’ to strengthen the organisation’s cyber security capabilities.
The many faces of the CISO
Yet, the role of the CISO was not a new concept. In fact, the CISO dates back to 1994 when Steve Katz was hired to run the world’s first formal cyber security executive office, and was subsequently given the title of CISO. Unsurprisingly, the role has many aspects to it, from security operations, cyber risk and cyber intelligence, data loss and fraud prevention, security architecture, identity and access management, programme management and compliance and governance, to name but a few.
Recently however, the role has come under increasing scrutiny and with the rise of cyber crime and the sophistication of cyber attacks, it’s easy to see why. Research shows that over two-thirds of organisations have experienced at least one security breach in the past year and that the majority of both CISOs and the entire C-Suite believe the CISO is ultimately responsible for the response to a data breach. However, with so many ‘hats’ to wear and multiple day-to-day responsibilities, it is clear to see why, with the increasing threat landscape, many organisations feel that it’s time to add another role to the C-Suite.
Enter the CCO
Enter the Chief Cybercrime Officer (CCO), whose remit will entail ensuring the organisation is cyber-ready and who will bear the responsibility of mitigating breaches, taking the lead if a breach does occur and providing the necessary link between the Board and the rest of the company to mitigate risk and work collaboratively to resolve issues as they arise.
With the need for cyber security to become far more central to C-Suite strategies, this new role should ease the load on the CISO and ensure the organisation can get one step ahead of hackers in the cyber crime race. However, organisations must take into account the need for both the CISO and CCO to work in harmony, with clearly defined roles and support from the Board.
Aligning to boundaries
With both the CISO and CCO working towards keeping the company’s data safe from cyber threats, it is essential for each role to be clearly defined. This definition may look different to each organisation: each role, and the teams working with them, should have clear parameters and responsibilities so that in the event of a data breach, the organisation clearly understands the steps that should be taken, and who should take them.
In practice, this should make every CISO breathe a big sigh of relief. Many CISOs would identify cyber security as the greatest risk within their role, and when they’re also trying to juggle multiple other responsibilities, it’s a lot to have on their shoulders. With the CCO focused on the system architecture and the CISO focused on the security of the information within the organisation, there should be no reason that both roles can’t work collaboratively towards keeping the organisation safe.
Making decisions
With both roles working in tandem, the next step that organisations need to take is ensuring the CISO and the CCO have enough influence with the Board to make critical decisions and resolve issues immediately. By ensuring that all members of the Board have visibility of the entire cyber security strategy and that the strategy is regularly reviewed and updated in line with new threats and intelligence, the CCO and CISO can be given the responsibility to report and respond to incidents and make rapid decisions on behalf of the business. In the event of a data breach, removing unnecessary approval and authorisation steps ensures that the organisation can respond quickly and put remediating measures in place to minimise potentially catastrophic repercussions.
In a world where cyber security threats can’t be ignored, now is the time for the structure of organisations to truly be considered. Has cyber security been given enough prominence at Board level? Can decisions be made quickly? Can space be made for both the CISO and CCO to work in harmony? By asking these questions and making changes, organisations can ensure they are in a far better position to keep their data safe and protect their reputation.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.