Chief Information Security Officers are in growing demand as cyber threats evolve and security becomes an integral part of every business. More than two-thirds of 2017 CIO 100 organisations had a CISO or equivalent, while President Obama’s White House administration appointed an inaugural US federal CISO in 2016.
But the rapid and recent rise of the CISO means the position is not always fully understood by the executives it supports. This can cause CISOs to be confined to the IT department when they need a secure presence in the boardroom to implement and communicate their plans.
Many argue the CISO is primarily a leadership role and needs a seat at the C-suite table to fulfil this function. Rémy Cointreau CISO Xavier Leschaeve quickly gained this position after joining the French alcoholic beverage company in 2015, and says other CISOs must explain their role in business rather than technical terms and demonstrate operational value.
“The top management, they don’t care about technology,” says Leschaeve, who previously worked as a global risk officer for insurance giant AXA. “What they are interested in is the risks for the business. So I try to present all the security risks in terms of operational risk management.
“You have to really to have a higher view and to try to see what the big impact will be in terms of the business and the impact it will have on the company. Even if it’s not totally accurate all the time, try to present that and to be closer to the business with that.”
[Read next: Chief Information Security Officer salary and job description – What’s the CISO role, reporting line and how much do CISOs get paid?]
It’s a role that has changed immensely since a £6 million cyber heist at Citibank in 1985 led the company to appoint security executive Steve Katz as what is widely considered the world’s first CISO. Communication skills and a deep understanding of the business are now as crucial as cyber security knowledge.
“In the past you were like a coder,” says Leschaeve. “Then one day a firewall arrived and you had to manage this device.
“Then we started discussing anti-virus, patches and so on, but it was very technical. And then security moved more to risk management and security. It’s people, processes and tools. It’s not only tools, so you are obliged to work more closely with the business, with finance, HR, and to discuss the processes, how things can be secure, and you need to tend to the people.
“You need to discuss with the top management because they have the money to give you the budget to do these things, but also they need to be supportive, they need to be the role model.
“If you have no role model, it’s difficult. In my company, our CEO is very interested and involved in security. When I joined the company, she was telling me all the things that I also noticed, and she is really a good ambassador for that – also the CFO, the legal audit department – we are all working together on the board because the threats are on so many different levels.
The unified approach to security means that the organisation’s IT must protect the entire company, a necessity that grows more challenging as ways of working develop.
“In the past, you had your internal network, you had your firewall, you had your internal human stuff. Everything was internal. Now with all the mobile working, half of our users worldwide are people on the road all the time. Information is now outside the company, it’s no more inside.
“We had a problem of how to store and how to share information, within the company, but also outside it.”
Rémy Cointreau staff were exchanging large files online through personal accounts on services such as Google Drive, considered ‘Shadow IT’ in that it sits outside of the managment of the CIO and organisation. Leschaeve wanted to give them secure access to their data whenever they need it, wherever they are while ensuring that the company maintained control over the flow of data.
To achieve this objective, the IT team turned to Box as their central storage sharing platform, to ease the sharing of information across the company, from HR and finance to the duty-free team selling the brandy in the airport.
[Read next: How CISOs can answer difficult questions from CEOs]
“Now if you want to share information with an external agency within outside world, you use Box. You can share our link,” says Leschaeve. “You can invite people to collaborate. I can track that, and I am in the process of banning all the other files transfer, external sharing.
“Each time we are doing a migration, we tell them now you use Box, nothing else. If someone wants to go to Google Drive, I will see that and we receive an alert, and I will tell them, ‘you’re not allowed to use Google Drive, please use Box’, because with Box, it’s under our control.”
His focus on the overall business in his IT strategy is mirrored by Rémy Cointreau’s CTO Sebastien Huet, who joined the centuries-old company weeks after Leschaeve. His motto is ‘How to move from a technical model to business services?’.
“I am kind of a commercial for the IT services, so, I really focus on trying to understand how people are working, how we can support them, how we can help them also to change their process,” says Huet.
“We have a role to help them to change also and to try to have the right balance between changing everything and being disruptive and having people comfortable with the change. This is really the key.”