You are here
The evolving role of the Singapore CIO/CISO
DATA breaches have become an almost everyday occurrence, and organisations and governments need to act to squelch this alarming trend.
In the first half of 2018, there have been more than 298 million malware attacks in Asia alone, according to the 1H2018 security round-up report by Trend Micro. Singapore alone saw an almost 10-time jump in phishing incidents and around 5,430 reported cybercrimes, the recent CSA report noted.
The impact of any security breach - be it a ransomware, malware attack or a data breach - for an organisation can be immeasurable. Take, for example, Target's 2013 cyberhacking attack: the US department store retailer paid US$18.5 million in security breach settlement. Likewise, Equifax's CEO Richard Smith had to step down after the uproar over a data breach. And just recently Verizon lowered its offer to acquire Yahoo, in the wake of two massive data breaches.
The examples above show how the lack of a solid cybersecurity strategy leaves an organisation vulnerable to financial, reputational, and personnel losses. Today, consumers expect their governments and companies with which they share personal information to safeguard the data. And executives and businesses are being held responsible for such incidents.
During the 2018 CLOUDSEC Singapore conference, industry leaders including chief information officers (CIOs) and chief information security officers (CISOs) from various organisations discussed the changing role they held. The leaders unanimously agreed that they were expected to go beyond their technical expertise and do more.
Security and cyber threats are taking the limelight today and as corporate heads feel the heat they turn to the CIOs and CISOs for the way forward.
Jack Cooper Holdings Corp, a car-hauling company, recently rearranged their organisational structure so that the CIO now directly reports to the CEO. The role of a CIO/CISO in the old days had been more of an operational one, in which they were in charge of managing vendors and ensuring the smooth running of the IT infrastructure.
Today's evolving IT landscape is riddled with pitfalls only an expert in the field can maneuvre. Technical expertise is no longer the most desired attribute of the CIO/CISO - although it is a must-have - he/she is also expected to come equipped with good leadership skills, strategic thinking, and business knowledge.
CIOs/CISOs are expected to advise the board on the ongoing security landscape, latest threats, and top-in-class security updates. For all you know, a simple patch may save you from an attack. The CISO is no longer relegated to the bottom of the roundtable but takes the lead in guiding an organisation through today's myriad IT security demands.
WHAT DOES THE BOARD HAVE TO DO?
The fact is that data and security cannot be the sole responsibility of the IT department; it has to be a collective effort. The board needs to take note of security and its importance, constantly update itself on prevailing security risks, and be more open to change.
In the case of Jack Cooper, its CEO Michael Riggs puts security on his agenda for the weekly Monday meetings, during which the CIO would update all the executives on cybersecurity matters, be it software problems with suppliers or companies that have suffered attacks recently. Occasionally, the board also uses the weekly updates to act immediately on a security recommendation, like a software upgrade or a process change.
From the youngest intern to the oldest board member, everyone must be aware of the risks and be prepared to act quickly. Prevention, after all, is better than cure. IT departments should conduct mock drills to educate their workforce, and security first should become the organisational culture. Top-level management should open more trusted dialogue for risk mitigation and strategic business plans should be made in consultation with the CISOs today. With stronger privacy laws today, companies can no longer take risks with their customer data, and trust has become integral in business decisions.
CIO/CISOs will play a more active role in the boardrooms to ensure that security is not an afterthought. Most organisations will take a security-first approach and more companies will adopt more security products. Above all, we can also expect more integration between these products to happen.
- The writer is vice president, Asia-Pacific, Middle East and Africa, at Trend Micro