One of the key things for effective cyber-security governance is that it must be treated as a level one non-financial risk, along with other operational and compliance risks.

Where does the CISO stand in your organisation? How do you maximise buy-in and translate technical gobbledygook into a business-wide, and widely accepted, cyber program? And what should a ‘fit-for-purpose’ security governance model look like post-Covid?

Joining us for our Future of Security, Melbourne, Catherine Rowe, AusPac Chief Information Security Officer, QBE Insurance, spoke with FST’s own Ben Turner, taking us through her hallmarks for effective cyber education, policy and governance, what the ideal cyber team should look like today, and where the CISO should stand in the FSI corporate hierarchy to maximise benefit for all stakeholders.

We offer below a snapshot of the discussion.

FST Media: With the industry ramping up its digitisation and digital programs in response to Covid-19 and the shift to remote working, it’s never been more important for staff to be cyber aware.

What are the hallmarks of an effective cyber awareness and education program?

Rowe: That’s a really good question, Ben. There are really three key elements here: accessibility, relevance, and measurability. First of all, cybersecurity awareness needs to be accessible and relevant no matter where you work in an organisation. It should encompass a variety of learning mediums and different tools to cater to different learning styles and also accessibility requirements, and it must be relevant and tailored to the specific audience and the desired outcomes.

Secondly, it really needs to be measurable. There’s absolutely no point in rolling out an awareness training session or phishing simulation if you aren’t looking to measure the impact of that activity.

A mature cyber awareness program should have both pre- and post-training surveys that can measure the impact of the training activity and then link these back to adjust and improve.

Thirdly, cyber awareness needs to really be seen as more than just an education exercise; it’s about making sure that every aspect of the business knows about their cyber role and responsibilities. This means ensuring there’s stakeholder buy-in right from C-suite down to the individual employee and them knowing why we have the security and controls that we do in place.

Also to add to this is active, regular, and clear engagement with the board and senior executives and decision-makers. This will ensure that cyber safety messages are really in lock-step with the threat environment and the risk appetite that the business chooses to accept.

FST Media: Against this backdrop, how does this affect the look of your security governance today?

Rowe: To me, governance is really about ensuring your organisation has the right structure, leadership and guidance in place to mitigate and manage cyber risks – we all know that.

One of the key things for effective cyber-security governance is that it must be treated as a level one non-financial risk, along with other operational and compliance risks.

Obviously, we have to have appropriate frameworks, policies and standards in place. That’s the first requirement of any cybersecurity governance. You’ve got to select a framework for your organisation that’s appropriate. Is it NIST? It is ISO? Is it COBIT? Having that framework will prevent a scattergun approach to implementing your security processes and procedures, and it will allow you to measure your security posture against a framework. It’s key to finding those weaknesses in controls and prioritising areas of funding.

From the policies and standards perspective, often these aren’t done well.

Policy standards and procedures should enable everybody in the organisation to understand their security requirements and what’s needed to protect the business’s information assets. Policies, in particular, need to be concise and high-level principles; they mustn’t go into the area of procedures or standards.

They shouldn’t be prescriptive; they should explain why certain actions are required to maintain compliance. Prescriptive rules and the operational processes should be outlined in the standards and the procedures. This will provide the flexibility that you need to change in the evolving threat landscape.

Policies are difficult to change. They require board oversight and board governance. But yes, standards and procedures are where you can, in fact, make on-the-ground changes. And, importantly, you really need to make sure that those policies and procedures clearly articulate the roles and responsibilities and the accountabilities of everybody within the organisation.

Another point that I’d really like to make on governance is that communication is absolutely key. Going back to my previous comments, most employees really want to do the right thing; if they’re told what they need to do, they’ll generally comply. You need to make sure that you have that audience-based security awareness training that can go either from top-to-bottom or left-to-right and be tailored to the specific audiences.

FST Media: And it’s about appreciating staff members’ technical acumen, their understanding and their position, as well as their access and authorisation to separate parts of the business. Is that correct?

Rowe: That’s absolutely right. There’s no point in having a very technical conversation with business units where, really, you want them to understand what they need to do to comply with passwords and not what they need to do when they’re going through a complex change program. So, it really needs to be tailored to a specific audience.

Also, one thing that is very dear to my heart is ‘tone from the top’.

For any governance to be effective, you need to have a board and C-suite buy-in, and that means really good reporting as well.

It’s essential that senior executives set the tone from the top in relation to their expectations around risk management, in general, and including cybersecurity. Regular board and executive cyber education sessions are critical to ensuring that they understand their key decision-makers.

And they need to understand the changing threat landscape and the organisation’s security posture against those threats. Reporting, in particular, must include accurate and adequate cyber risk metrics and that, more importantly, it has to have the insights that are needed to support that constructive challenge and debate at board and executive forums.

As with other non-financial and financial risk reporting, it’s critical that you have a really clear risk appetite statement against cyber with appropriate threat thresholds, and it’s based on agreed key risk indicators. And these should be regularly reported to the board.

One of the other things that’s very important is not just the risk appetite statement and the KRIs [key risk indicators], but actually also a clear set of key performance indicators.

These operational metrics can track how you’re going from an operational perspective within the organisation and within your cybersecurity program, and how you’re rolling that out and how the organisation is maturing in its cybersecurity compliance. It’s important you can slice and dice it for different business executives; so, each line of business should understand their own security posture. They can then take actions to remediate risky behaviours or risky items within their portfolio, such as end-of-life technologies et cetera, and really adhere to those good cyber hygiene practices. They’re also a really important tool for you to be able to measure, as a CISO, how you’re going with your cybersecurity program and how you are actually uplifting the level of maturity in the organisation.

Finally, the one other thing I would say in respect to effective governance is to make sure that you have a really cooperative mindset and open communication with your regulators.

FST Media: Having run a number of security events recently, all those things are ringing true. And this where the training needs to be applicable to the person, and which leads to a clear understanding of responsibilities: Everyone knows their role, knows their responsibilities and how they’re impacting the greater good all the way up to the board level.

How do you translate those technical issues into business priorities and communicate that in a way the board can fully understand?

Rowe: Again, it’s going back to reporting and metrics. Most boards and executives now recognise that having adequate cybersecurity is essential to surviving and even thriving in today’s digital economy. But they often lack the insights and the data that they need to have comfort that their organisation is effectively managing the cyber risk.

Some boards and some executives still treat cyber as a technical or an operational issue, which is handled in the back-office. And that view of cybersecurity is really the greatest hindrance, I think, to effective cybersecurity governance.

Cyber is integral to the way we do business and, as such, it should be treated as a level one enterprise risk, with adequate, insightful reporting to decision-makers and, as importantly, with the CISO having a seat at the table in those discussions.

FST Media: We’ve talked about how we communicate with the board, how we communicate with the business. We’ve talked about how important security is across all of those and how it should fit in across the business. But where does the CISO fit in? 

Should they report directly to the CEO, to the CIO, or to the CRO [Chief Risk Officer]? 

Rowe: Another very topical and interesting question. In most financial services organisations in Australia, the CISO reports to the CIO. Now, there’s been an awful lot written about the feasibility of this organisational construct. Some organisations are now moving to elevate their CISO or their chief security officer to report in to the CEO. Others have their CISOs sitting under the CRO, COO or the CFO.

The question that I have is, given the real possibility of legal action against directors and C-suite executives in the event of a cyber breach, should the person responsible for cybersecurity actually report directly into the CEO?

But, really, where the CISO fits in an organisation is really largely a matter of how the roles and responsibilities of the CISO fit with the operations and the risk maturity of that particular organisation.

If you think about the CIO/CISO relationship, obviously their responsibilities are very interrelated; but there is tension between whether the CISO or the CIO responsibilities should have primacy – or are they equal? And that can create some tension and conflicting priorities in that relationship and how the organisation moves forward.

There are a lot of different theories put forward on this. Where a CISO reports to a CIO, does that mean that the organisation views cybersecurity simply as a technical function rather than a risk function? Where CISO reports to the CRO, the organisation would acknowledge that cyber is a risk that can actually threaten its survival. But does that leave the CISO too far detached from critical IT operational capabilities? Where the CISO sits on the C-suite, alongside the CIO, does that mean that cybersecurity is more embedded into the enterprise-level risk management of an organisation and elevates that cybersecurity to a really strategic level? These debates are all out there.

In my view, there’s no one-size-fits-all to this question. Also, reporting structures, they’re not a silver bullet. What really matters in making organisations’ cyber resilience – and I’m going back to it – is governance. The structure and the processes that are in place for effective decision-making, accountability and control.

If the right governance is not in place, it really doesn’t matter where the CISO reports.

Ultimately, the board and the CEO are accountable for cybersecurity and must maintain close oversight of those cybersecurity risks.

So the two really fundamental points here: firstly, cybersecurity must be treated as an enterprise risk and not merely a technical mitigation concern; number two, the CISO must have a regular seat at the board table irrespective of any reporting rights.

FST Media: Now, looking at the organisational structure and the people within it, you’ve built many security teams over your career.

What challenges are you observing in such a fast, dynamic discipline, also factoring in Covid and the skills shortage and the way that the skills required for security are starting to evolve?

Rowe: It’s such a fast-evolving profession, isn’t it? The skills shortage has no doubt been exacerbated due to Covid and will again be exacerbated as people come out of lockdown and start to move around again. It’s something most CISOs have been dealing with for a long time and have employed various approaches to retain and attract cybersecurity talent.

For me, one of the key elements I see to growing and developing a really good cybersecurity team is to have a multi-disciplinary team who can do many, many things well.

If you are hiring inquisitive, high-performing and diverse minds, you end up with a team that can tackle whatever problem comes next. And, ideally, you’ll end up in the long-term with a team or a set of teams who actively learn from each other and become stronger together and be able to compensate if there’s some particular weaknesses or some strengths in different areas.

The other thing about having diverse teams – and, of course, this is because I came from an area outside of cyber – but cyber is about people as much as it is about technology. You need to be able to have that diverse set of thinking and skillsets to be able to bring to the all-pervasive cyber question and the cyber landscape.

Diverse teams really work better because you don’t end up with this groupthink mentality, and you’ve got a whole range of different ideas that are brought to the table to solve really quite complex problems. That’s really critical in a dynamic cyber landscape.

FST Media: Certainly! This discussion has really shown that. Tech’s hardly been mentioned; it’s about people and the way that people are handled within this scope.

Rowe: You need every skill! You need skilful communication; you need really deep technical subject matter expertise; you need the ability to manage delicate relationships; you need to be able to talk the right talk for the business. No longer is it just about having deep technical subject matter expertise. In also in having a very broad skill set.

The one thing as well, though, as the landscape evolves within cybersecurity, professionals’ skills are just moving so fast. It’s a highly desired profession; the cohort that’s coming through now out of university is exceptional, and it’s really important that we support them in their professional journey. The way we can do this is by making sure that they’ve got promotions, rotations, cross-skilling amongst different disciplines. Take a cybersecurity consultant and put them into risk for a while. Take another and put them into comms and make sure that they have to be able to talk to the business.

This mixing and matching and being able to leverage each other’s strengths is really where we’ll see some effective inroads into unlocking this cybersecurity talent pool. ◼

Catherine Rowe was a featured speaker at the Future of Security, Melbourne 2021 virtual conference on 25-26 November 2021.