Summary of roundtable discussion facilitated by Delphine Chevallier, DG, Thalia NeoMedia, during FIC2020 on Wednesday 19th January 2020 together with :
- Julien Bizjak, Directeur associé Cybersécurité & Confiance numérique, Abington Advisory
- Phedra Clouner, Directrice Adjointe CCB/CERT.BE
- Abeer Khedr, Information Security Director, National Bank of Egypt
- Loïs Samain, RSSI Adjoint, EdF Renouvelables
RSSI/CISO role emerged in the 90s and was mainly focuses on correcting vulnerabilities. Together with expansion of company’s boundaries, people mobility, threats and risks transformation and increased regulations, the position has become key to protect organizations. In some industries it is even now a mandatory role. How RSSI/CISO can thus articulate responsability and accountability not only for themselves but also for the organization they are working for ? To what extent should they assume accountability for incident ?
Let’s go back to the purpose of RSSI/CISO role in 2020 : still aligned with its original purpose, i.e. protecting organization’s assets and mitigating risks, which goes with monitoring compliance with growing regulations, RSSI/CISO role is more and more about building trust and partnering with the business to turn cyber security into competitive advantage.
Practically, it means for RSSI/CISO to find the path, narrow but yet existing, to align the organization with regulations without being perceived as a brake. Focusing the discussion with leaders on operational excellence and the need to build customer trust are quite effective ways for compliance to be perceived as a driver to enhance operational activities rather than unnecessary or pressure with no added value. For sure implementing internal processes and controls, measuring risks and regularly running audits are critical tasks: but it has to go along with people engagement over the whole process chain to establish defense protocols as deeply as possible.
To operate in highly complex matrix organizations, and sometimes also across several geographies, developing relationships and ‘have friends’ everywhere is key to effectively influence and engage positively on cyber security issues. The ultimate goal being for the RSSI/CISO to be quite naturally involved as early as possible in projects or new digital development, so s/he can advise to build security from the very early stages. Building trust across the whole supply chain has also become essential: challenging sub-contracting and procurement approach is now part of the job.
If there is one thing RSSI/CISOs agree to be accountable for, it is about driving continuous improvement for the organization. Complaining about or hiding behind ressources (not made) available to do the job is a definite pitfall: RSSI/CISOs have access to the greatest and vast ressources to be successful in their jobs: leaders, managers and teams who are able to be empowered on cyber security.
Looking ahead, what is on RSSI/CISO’s radar for the up-coming years ?
- Applying business partner principles for the role to be established and really perceived as value-added services offered to every business units,
- Preparing a next generation but also attracting people coming from the business through internal mobility,
- Sharing knowledge and experience to help small-size organizations, which can’t afford the cost of even a part-time RSSI/CISO, to find alternative solutions (through the use of e.g. AI or external support) but advocating for stakeholders to remain deeply engaged in the issue.
To conclude, speakers developed the “RSSI/CISO as a swiss knife” concept, a chameleon who is mastering
- intercultural ability to bring consensus across various approaches when it comes to risk management,
- influencing and selling skills,
- technical and organizational skills,
- a large variety of business, leadership and management skills,
- emotional intelligence and stress management,
- ability to display complex technical issues with simple but business words,
… and as such, is growing him/herself in a highly fascinating job !
(by Delphine Chevallier, DG, Thalia NeoMedia)