The Chief Information Security Officer Is Not The Enemy

Thomas Frénéhard

Part 3 in the Controls and Risk Management series

A few days ago, I was having dinner with a friend who happens to be the chief information security officer (CISO) at a midsize software startup.

While discussing how we report our actions to our management, he mentioned that he was asked to deliver a quarterly report to his board of directors on all things cybersecurity, including compliance with ever-changing regulations, of course. A comment he made was that, during these sessions, he felt like a gladiator descending into the arena to fight the lions.

And instead of being offered executive support, he felt he was treated as a scapegoat for the increasingly complex cyberthreat environment and was associated with any breaches that happened on the market.

Ave Caesar, morituri te salutant

With all the recent data-protection and privacy regulations being enforced worldwide and the variety of attacks that a company can face daily, I could understand how he must feel in his function and the gladiator analogy. Especially without the support of executives.

But it doesn’t have to be this way.

I firmly believe that CISOs now have a dual role: protecting the organization and its most precious assets (including employee and customer information) but also helping users run secure processes more easily and smoothly. This is especially the case in the wave of digital transformation that is spreading across businesses of all shapes and sizes to help them make the most of their IT investments.

Protecting assets and supporting the business is not incompatible

First and foremost, I think most employees now understand the role and importance of cybersecurity. Who doesn’t have someone in their circle whose email account was hacked? Or had a fraudulent online credit-card usage they had to dispute?

Employees know that businesses are under constant threats, and I do believe that they understand the need for stricter security policies.

Nevertheless, I can also understand that some consider secure processes to be tedious, if not cumbersome. The annoyances might include, for instance logging onto various systems with multiple passwords or requiring access to system XYZ without knowing exactly how it operates and thus being unsure what to ask for.

That’s where the CISO can provide great insights and support by helping to automate most of these tasks with tools such as single sign-on or identity management and access governance. These solutions enable the provisioning of user roles whenever an employee is onboarded or changes roles or reducing the number of passwords they have to remember without compromising secure access. This will make employees’ lives easier and help them protect the organization without additional effort.

Hopefully, it will also prevent people from writing their password on a Post-It note stuck to their computer screens. But that’s a topic for another blog…

Explain, explain, and explain again

There is often a perception that cybersecurity is just to prevent external parties from getting inside a company’s network and doing some damage. But there is another facet that I think is often overlooked: It’s also to protect the employees.

Let’s assume you are in the HR department, and there has been a leak with regard to employee pay grades. If all access to sensitive information is traced, you, as an HR employee who could be among the suspects, will be relieved, since you won’t have to prove your innocence. Just by looking at the logs, your integrity will never even be questioned.

I think executives must play the game, though and show their full support for cybersecurity – and by this, to the CISO they trust with the company’s most precious information assets. Management must explain clearly to business owners why they should all be behind the CISO.

Only by setting the right tone at the top can all employees understand that this is as much to protect the organization as to protect them – and their personal information – from adverse events. They will then become an integral part of the cyberdefense system of the organization: the human firewall.

Armed with dedicated tools, trust from their management, and support from all employees, it’s time for cybersecurity experts to get back into the spotlight and take their rightful place as trusted business partners. Thanks to the CISO and cybersecurity experts, the organization will be ready.

So traveling back in time from ancient Rome to ancient Greece, and as the Spartans responded to Xerxes I of Persia at the Battle of Thermopylae: molon labe!

Are you a CISO facing this situation? If so, how do you manage it? I look forward to reading your thoughts and comments on Twitter @TFrenehard

Please join us at the SAP Conference on Internal Controls, Compliance, and Risk Management in Copenhagen March 3–4, 2020, which will explore the theme “Connected Controls and Risks.”

This article originally appeared on SAP Community and is republished by permission.

Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.