6 minute read
Rob Wainwright, Amsterdam, and Beth McGrath, Washington The new role of the Defence Chief Information Security Officer (CISO) CISOs are more than technology officers
The new role of the Defence Chief Information Security Officer (CISO) Defending information, improving readiness, and succeeding anywhere
36 by Sir Rob Wainwright and Honorable Beth McGrath, Deloitte, Amsterdam/Washington
As defence organisations become more data-driven, the role of the Chief Information Security Officer (CISO) is changing. It is rapidly shifting from a technology-oriented position to a business leadership-focused one, with significant demands from and impact on mission readiness. That is why defence organisations across the globe measure, evaluate, and re-measure their “readiness.” While the specific term may vary from country to country, the heart of readiness remains the ability of an organisation to execute its assigned mission promptly and capably. Therefore, understanding readiness starts by understanding the basic capabilities of a force: its equipment, people, and infrastructure.
Data for the creation of a real-time picture Traditionally, the picture of those capabilities was developed through regular reporting on the status of smaller units, aggregated into a readiness picture at successively higher units. However, these historical snapshots of readiness lost much of the detail leaders needed to make decisions. As a result, many forces are beginning to use real-time data taken from sensors and analytics to create a real-time picture of projects, performance, and maintenance. Rather than relying on summary reports, leaders at every level, from defence ministry secretaries to mechanics on the flight line, can pull from the same pool of actual data. By filtering and analysing it, they can get the information they need, whether that is force-training levels or the broken part on a particular jet. While the greater use of operational data in readiness decision-making can give leaders greater insight, it also greatly increases the importance of cybersecurity. Every organisation tries to protect its sensitive data, but bringing large volumes of data on the location and status of military forces requires even more vigilance. The result is that cybersecurity is now being dealt with higher up the corporate ladder. In many cases, the CISO has become a close peer of the chief information officer (CIO). The role now demands business leadership as well as information security and technical skills, and the CISO is now seen as a business partner, not just a business protector.
The evolving role of the CISO Understanding the threats and putting effective counter measures in place is the responsibility of the CISO. However, as the organisation begins to use data in new and different ways, the CISO must also understand how that changes its risk exposure. In a bid to better understand and improve readiness, defence organisations are using more and more real-world operational information to budget, recruit and make other decisions. While these types of decisions may previously have used “back-office” data that was less sensitive, the aggregation of many different types of mission-related information makes the CISO an integral part of the executive team. The CISO must be fully involved in the decision making process so that they can make sure that decision makers at every level have the information they need, but yet still protect sensitive operational data. This means ensuring that the right people get the data they need, and only the data they need. There is a significant change in the role of the CISO. In the past four or five years, it has broadened, from being almost purely technology-oriented to more people-oriented, and from being a middle-management function to a business and technology leadership function. The role continues to accelerate in the same direction to meet these needs.
To be successful, modern CISOs need to know more than just technology. They need to communicate the nature and extent of the cyber threats to all levels of the company. Then, along with CIOs, they need to balance the needs for cybersecurity against the information sharing needs of the organisation. Finding that balance is the key to success: too little information sharing, and the organisation cannot make effective decisions, too little security and it is all for nothing with sensitive information lost to adversaries. Today’s high-level CISO is fundamentally different from yesterday’s information security manager.
The CISO as a value-protector and a value-adder Cybersecurity is expensive. The CISO’s department is typically a cost centre. But it is now gradually less focused on justifying costs and more on enabling valuable activities. It is difficult, if not impossible, to quantify the return on investment of security spending. Certainly, it is easy to quantify the costs of not having effective cybersecurity. A quick glance at the headlines is enough to draw attention to the many companies and government agencies that were victims of high-profile cyber-attacks. The cost of these in reputation as well as in real monetary value is clear to see. For most CISOs, demonstrating value has typically ended there: success was the absence of bad news. Today, however, that may be slowly changing. A few of the brightest CISOs are beginning to explore how cyber know-how can be a valuable commodity. Some companies and government agencies that have developed expertise in protecting their own vast networks are able to offer that knowledge to other companies and agencies as a service. In that way the CISO’s cost centre can actually become a profit centre. Admittedly, that is not the goal nor likely outcome for most
Sir Rob Wainwright
has been a Partner with Deloitte since
June 2018, working in its cyber and finan
cial crime practices. He was the Executive
Director of Europol (2009 to 2018). After
a 25 year career in intelligence, policing,
Photo: © Europol
government, EU and international affairs, including at the Serious Organised Crime
Agency, National Criminal Intelligence Service and in the British Security Service, in June 2018 he was awarded a Knighthood by HM The Queen for his services to security and policing.
Honorable Beth McGrath
is a Managing Director in Deloitte’s Govern
ment & Public Service (GPS) practice and
leads Deloitte’s global Defence, Security,
& Justice (DS&J) practice. Beth has broad,
multidisciplinary, strategic, and operational
Photo: private
management experience acquired from more than 25 years of successful perfor
mance in the federal government serving in positions up to the undersecretary level in the Department of Defence (DoD). Prior to joining Deloitte, Beth was confirmed by the Senate as the deputy chief management officer (DCMO) for the DoD and has held numerous other executive positions in government service.
CISOs. Success for today’s top government CISOs is not only protecting data but enabling the mission. CISOs are being asked by leadership to keep data safe, but also make sure security measures do not get in the way of digital transformation, and figure out how technological know-how can be used to create frictionless information sharing. Keeping data safe while staying out of the way of modernisation efforts is critical.
A safer information flow leads to better decisions Remote payments are a prime example of the benefits of “security by design,” where robust security measures, far from slowing down and spoiling the user experience, have sped it up and enhanced it. Users who have confidence in the security and ease of remote payments are more likely to use it. For government agencies, a safer information flow means a greater information flow, which directly leads to better decisions. So cybersecurity at this level of sophistication will not just protect data but will make an organisation more mission-effective. Different countries and agencies are at different stages of the evolutionary cybersecurity process, depending on a variety of factors such as management foresight, industry and sector, and country of operation. However, what is common across all of them is that as defence organisations make better use of the volumes of digital data produced by the modern world, the CISO will increasingly be a critical part of the realisation of the mission.
1 We are grateful to Joe Mariani, Chris Verdonck, Nick Seaver, Mark Nicholson, Vikram Bhat, Stephen Bonner and Michael Imeson for their insight and guidance, without whom this article would not have been possible.
