The future of cyber security and the role of the Chief Information Security Officer (CISO)

Phil Fodchuk is a Partner at MNP who has decades of experience in various roles throughout the cyber security realm. He began his career as a police officer with the Calgary Police Service and then RCMP in their cyber crimes investigations units before working in large consulting firms across Canada and served as the CISO at a number of companies in the energy, transportation, consumer, and public sector industries.

In these various roles, Phil has seen the increasing challenges organizations face as digital transformation rapidly increases dependence on data and digital systems just to operate day-to-day. Cyber security strategies, systems, and practices that were once solely focussed on “protecting IT”, now need to be integrated with all aspects of an organization’s business well beyond “IT”, illustrating how vital the role of CISO is becoming.

In this interview, Phil explores the role of a CISO now and in the future, how they materially contribute towards the success or failure of business objectives today, and what it takes to be successful in this ever-expanding and important business field for future generations.

Companies have been investing in cyber security for years now, but we are still seeing breaches regularly in the media. Statistics also show that nearly half of small businesses in Canada have experienced a cyber attack. Why is that?

The reality is that as organizations and our society increases the amount of integration between and dependence on digital systems and data, the complexity in managing and protecting them has exponentially increased. Because of this rapid growth, the expectations of cyber security within organizations have expanded (often informally) from managing pure technology issues to now having to understand and be part of addressing an organization’s strategic, legal, financial, and operational issues.

The opportunity for an attacker to get into an organization’s digital ecosystem, and manipulate its data, applications, and systems negatively impact that organization and even individual people is increasing. Unfortunately, we’re not way more integrated and in a way, more dependent on data and technology.

All of this growth and complexity creates a larger digital footprint (or attack surface) for an attacker to find a way in. Unfortunately, it also makes it more difficult for people and organizations to not only make sure everything is updated, properly configured, and secured, it also makes it more difficult to continuously monitor your digital footprint and detect when a breach has occurred.

Across Canada we’ve seen a lot of changes with the CISO role in recent months – do you know what’s causing this trend?

I use the analogy that the CISO role in many organizations is like a teenager right now – we’re in this awkward stage of defining what our identity is, where we fit, and what decisions we have accountability over within organizations. We’re not an adult yet but we’re also not in our infancy. We don’t have the benefit of several hundred years of experience like accounting, legal, or engineering professions so we’re watching the CISO role evolve right before our eyes as digital transformation accelerates across society and business. But we’re generally seeing the CISO role follow a similar maturity journey as the CIO role, moving towards becoming a business leader that understands the balances risk, financial, strategic, human, and operational priorities along with technological.

This inherently means the need for different skills, expertise, and backgrounds for CISO’s than were required just five years ago.

Overall, we’re seeing organizations require the CISO role to not only understand, but more importantly, be able to clearly quantify how and where cyber security adds and maintains value to the organization’s core business and overall strategy.

Where should a CISO sit in an organization’s structure? How would you describe their “identity” as part of leadership?

This is a hotly discussed question over the last several years… and there’s no one right answer.

It’s going to look different for a small or medium-sized business than it will for a large enterprise or a multi-national organization.

When I speak with boards and executives, the main point I emphasize is that cyber security primarily deals with managing risk. Hence the focus should be on understanding where the role will be most effective in understanding, making, and operationalizing risk-based decisions that could impact almost any part of your organization. Following are some considerations that can help guide the conversation:

• Does your organization have a mature and integrated risk management approach or culture? If so, positioning the CISO role as part of, or near risk management, at a level where decision rights reside should be considered.
• Is your organization publicly traded and/or in a highly regulated industry? Many regulatory bodies (i.e.: the SEC for publicly listed companies in the U.S.) have been and are expected to continue increasing the regulatory requirements to have executives/board members with cyber security expertise. Positioning the CISO role within senior leadership of the organization may help align to growing regulatory requirements.
• If safety, physical security, or threats from advances entities such as nation states are a primary concern, positioning the CISO responsibilities where the Chief Security Officer, or operational security areas may provide the most direct oversight.

There isn’t one prescriptive “right way” but it’s important that where the CISO sits it has visibility and ability to effectively drive decisions across your organization, considering your culture and threat/risk environment.

That trickles down to cyber security in general – where should it fit as a business function? Within IT or as part of operations? Or somewhere else completely?

Depending on the maturity of the organization – again, not saying there’s one right answer to this – but generally, as an organization starts maturing into digital transformation, it starts increasing its reliance on data and technology as part of its core business.

Cyber security responsibilities and roles start becoming spread out across the business. It starts becoming engrained in almost every part of the business now.

From a generation perspective, we would see cyber security start off within the IT group and sometimes it becomes a standalone function or business group within IT. But now we’re seeing cyber security responsibilities for a lot of organizations are no longer siloed into a single function but rather have become distributed across the organization.

An example I give is thinking about cybersecurity in line with finance. Financial management is something that’s been around for hundreds of years, and it doesn’t matter what business you’re in, everybody understands they have a budget and they have limitations to that. It’s everyone’s responsibility to manage their finances and cyber security is now becoming everyone’s responsibility as well.

When it comes to reporting and gauging the success of a cyber program, what questions should business leaders be asking their CISO?

One of the biggest evolutions in the maturity of the cyber security function is understanding how cyber security is contributing to or adding value to an organization. And reporting on that has become critical.

Understanding how we measure effectiveness and value in cyber security is also evolving. There are some tactical metrics such as mean time to recovery, mean time to detection, mean time to response, and those are all very valuable metrics that still need to be measured and understood in context. But what we’re seeing at a higher level is that executive reporting on cyber security is maturing towards answering a number of questions, including: how effective and relevant are our the controls, what are the financial and operational impacts to us in the event of a cyber breach, how resilient are we in recovering from a cyber attack, where is the most effective us of capital going forward in managing threats and risks that the organization is dealing with?

The second component is translating that to value for the organization. If we spend money or make an investment in a certain area, we need to see a visible return so the ability to report on cyber security value is key.

Compliance is another important metric and as regulatory bodies increase their requirements for cyber security, it’s important to ensure you understand your compliance requirements and can report on your state of compliance at any given time.

Back to the role of a CISO – what are some of the skills and qualities you’re seeing as key for the next generation coming up?

For me, the success of the next generation of CISOs is as a business leader that understands the business context the company operates within and has experience in areas such as financial management, people and talent management, process, management, etc. Skills such as critical thinking through a business lens, not just technology-centric, but the ability to truly understand complex issues is also key.

It’s important to still have a technology understanding but as technology has now become more ubiquitous it is not the unique differentiator it once was. It’s the business impact and understanding how the business operates with the ability to translate cyber security into that lens that’s going the make the biggest difference.

Do you have any final advice for cyber experts as they move forward in their careers?

One of the biggest values I’ve found over the years in my role is diversity. Personal diversity in experiencing different industries, geographies, roles, organizations, and team diversity of the people I work with ultimately results in valuing diversity of thought when we bring those things together.

For someone who is starting their career in cyber security my suggestion would be to have a personal plan and continually visit it as you mature to balance both the expertise and the experiences you’re acquiring to be as diverse as possible in your field. Such as getting exposure into areas such as risk management, financial management, process management, so that you’re not necessarily just focused on one domain.

The one unifying thing with cyber security is that at some levels, it doesn’t really matter what industry you’re working in. There’s uniqueness and specializations between industries of course, but our increasing move towards digital transformation is the leveling factor that I believe opens more opportunities for people.

Your experience working in different industries, businesses, and environments with a diversity of people leads to a rich set of experiences that I see as critical in the next generations of CISOs to help continue to mature cyber security into the next generation of business and society as a whole.