While information security remains a vital tool for organisations looking to drive down risk in the cyber-age, chief information security officers (CISOs) still aren’t afforded enough respect, says Amar Singh, former chief information security officer of publishing giant News International. He tells Chief Executive Officer why he thinks there is room for them to play a larger part in boardroom decisions, and why infosec is now as much to do with business strategy as it is IT.
Amar Singh isn't a huge fan of the title of CISO (chief information security officer).
"It's not sexy enough," says Singh, former chief information security officer at News International. "I would much prefer something like CIPO, for chief information and privacy officer, with each letter pronounced individually - just like one would say CEO."
While Singh's statement carries the faintest trace of frivolity, it serves as a possible indication as to the indefinable halfway house some of today's CISOs find themselves in, which entails them being part information technician, part business strategist.
On the face of it, the job description of a CISO is to protect data, while simultaneously driving down corporate risk. This, in turn, requires a comprehensive understanding of the risk and threats landscape that companies face on a daily basis. It's not a role for the fainthearted, says Singh.
"You can sometimes have an awful lot on your plate," he explains. "Today, there are regular threats facing every cyber-outfit, such as advanced malware. Information technology is a very loose term, perhaps, but it underpins everything that everyone is doing these days, regardless of the business.
"I consider myself to be an information risk officer," he continues. "My objectives are to take away fear, uncertainty and doubt from an organisation. If I can take those away, and give the CEO the assurance he needs so he can proceed with a project, I think I am doing my job properly."
Singh has first-hand experience of such demands. From February 2012 to late 2013, he served as interim CISO at News International (now known as News UK), which, at the time, was - and still is - embroiled in the perfect storm as a result of the phone-hacking scandal.
By his own admission, Singh was "brought in" as part of the media company's clean-up operations, which included tightening security. And while unwilling to divulge too much on his time at the group, you get the feeling his role went beyond simply installing the latest firewalls and antivirus software across the mainframe.
"News UK has always pushed the boundaries of cyber-media, so I felt I was a right fit for the position," says Singh. "The main thing with media organisations is that they need to have a more open culture. Being relatively adaptable, I was able to let News UK go about refreshing its image, while I worked on the security side of things."
In the wake of the phone hacking scandal, the twin concepts of transparency and accountability have been heavily propagated, no more so than in the sphere of security operations. For Singh, this is firstly predicated on the CISO being known across all departments of their respective business - from legal and HR to marketing and IT.
"Transparent security is my mantra," he says. "This means I am able to share facts, figures and threats with every single employee of an organisation. If I can do that, I am doing my job correctly. If an employee doesn't know who I am, then we have a problem. But, if they are able to call or send me an email about something, and I can make information security more transparent; that's a good feeling."
But this isn't always the case, particularly when it comes to the current relationship between c-suite executives and CISOs. This disconnect disappoints Singh, particularly as increasing numbers of companies continue to invest in their cyber and mobile platforms.
"In all honesty, I believe some CISOs should be board members, reporting directly to the CEO," he states emphatically. "On a personal level, I'm quite sure I could handle being on a board, as I consider myself a business enabler as much as anything else. Yet, CISOs are not given mandates, because we are not judged to be senior enough.
"A lot of times, this battle ensues with a lot of ill-feeling. However, I am hopeful that CEOs will start to realise that if they want to carry on along the cyberspace path, and continue increasing their income there, they definitely need some kind of accountability that goes to them directly."
Part of the problem here is the preconception that the traditional remit of the infosec manager is strictly technical, and does not apply to a company's overarching business agenda. Singh believes a cultural overhaul needs to take place; a greater emphasis on communication and soft skills could help achieve this, he says.
"Like any position, human skills are vitally important, with some psychology thrown in," he says. "Unfortunately, in the past, you tended to find techies at the helm of security operations. While they are great at going right into the weeds, they tend to focus solely on the technical stuff. This isn't always the best solution, as companies can end up spending a lot of money, and misallocating resources and misappropriating resources."
Singh, it seems, is something of an anomaly, especially in the face of the traditional techie CISO he alludes to. As a self-professed autodidact and polyglot - he speaks five different languages - and having worked with a diverse range of companies, including BP, the BBC and Cable & Wireless, he differentiates himself through a keen appreciation of the business and technology spheres.
"Originally, I come from a business family, hence my leaning to understanding business," he explains. "Growing up in Singapore, I wanted to do my own stuff, and although I was also very tech-orientated, I left school after completing my O-Levels. So whatever I am now is all as a result of training and on-the-job learning."
While such skill-sets are worthy of admiration, they can be tested to the farthest limits in the field of business, particularly when the next black swan event might just be around the corner. For CISOs, implementing the best risk-management framework can be a complex business, given that it is difficult to quantify the exact financial damage a cyber-breach might inflict on an organisation.
In such instances, Singh's philosophy is based on keeping a cool head rather than applying scare tactics.
"I always try to bring a sense of pragmatism to security," he says. "Don't get me wrong, I know there is sometimes a need for paranoia, as I am fully aware of the nature of the world. But that needs to be balanced with a risk-based approach that says, 'Don't be fearful, but if you do this, these are the risks'.
"That really throws an interesting equation out, as it then also gives me a sense of the risk appetite of the business, or business unit. I don't just want to be scaremongering and creating uncertainty for the sake of it."
Game of risk
But what if risks aren't addressed or identified correctly? Singh accepts that such scenarios are likely to happen from time to time. However, if errors are committed, hands need to be held up in the name of accountability.
"Whether you are a supplier or customer, organisations need to start coming clean about their digital compromises," he says. "There is no need for too much detail, but there needs to be some kind of possibly non-punitive method - although obviously that depends on what kind of a breach it is - to acknowledge that you've compromised, but you've cleaned up your act. Only then can people move on."
Towards the end of the discussion, Singh returns to the idea of relationships between CISOs and their CEOs. As aforementioned, Singh holds the belief that if information security is to represent a linchpin of a business, the CISO should merit a seat on the corporate risk committee.
Only time will tell if this idea is to gain any traction. Nonetheless, that doesn't stop Singh being optimistic that CEOs are finally starting to come around to the idea of a more integrated and holistic approach to the way they manage information security.
"I think it's a gradual thing," he says. "But CEOs are starting to cotton on to the fact that they need someone directly accountable to manage security risks. I think that's the key thing here. As people move on into the cyber-economy, they need to know whether there is someone accountable to take that risk for everything cyber-related."