CISO Omar Khawaja had a single priority as his company, Highmark Health, shifted en masse to a remote work environment: Give workers the ability to get their jobs done from wherever they are.
But to do that as quickly as possible, Khawaja proposed relaxing certain controls. As he explains: “We exist to enable the business, so if we prevent the business from doing the things they need to do, it’s kind of pointless.”
Khawaja’s proposal might seem drastic, but he says he knew that the other remaining layers of security would provide the needed protection. Still, he wanted his C-suite colleagues to have the same confidence he had.
“I had to tell them that we’re relaxing controls, and the response was, ‘If you’ve done the analysis and you think it’s the right thing to do, then we’re supportive,’” he says.
CISOs have seen their roles evolve, moving from a managerial one focused on tactical deployments to an executive position involved with business strategy and risk management.
As part of this evolution, CISOs have had to build confidence among all stakeholders—customers, partners, employees, board members and other executives—that they and their security teams have the organisation’s best interests in mind when it comes to cyber security decisions.
In other words, CISOs have had to earn the stakeholders’ trust that they can seamlessly and consistently safeguard people, privacy, systems and data as each group goes about their usual business through changing times and even through extraordinary circumstances.
“Things are all upside down now. No one is working the same, and there’s a lot of discomfort out there. So as a security person you have to build that trust. It’s part of your job, and it’s what you get paid to do,” says Gene Fredriksen, a veteran security executive now serving as executive director of the National Credit Union Information Sharing & Analysis Organisation (NCU-ISAO) and cyber security principal for Pure IT Credit Union Services.
An essential element
The CISO’s capacity to cultivate trust is more than an esoteric discussion or business-school exercise: Experts say it’s an essential element for any CISO who wants to be successful in the role because it enables him or her to enact the policies, procedures and technologies needed to secure the organisation and, thus, prove to others—including customers—that their interactions with the company are safe.
“If you don’t have the trust, then your motives become questioned,” says Michael D. Weisberg, CISO of Garnet River LLC, an IT services firm.
He says CISOs need to be trusted so they’re heard when “they raise their hands and say, ‘Whoa,’” to policies, projects or ideas that could endanger that which they’re seeking to protect. Trust, Weisberg says, is what gets the stakeholders to pause and heed the CISO’s advice.
On the other hand, CISOs can’t be seen as the “department of no,” as so many have been viewed over the years, Weisberg adds. They must instead deliver solutions that enable the organisation, its partners and its customers to perform desired tasks without putting them at unacceptable risk.
“People trust co-workers and colleagues who help them solve their problems and are right in the help they provide,” adds Keri Pearlson, executive director of Cyber security at MIT Sloan (CAMS).
Monica Rowe, the CISO of Mazuma Credit Union in Kansas City, Mo., and a member of Women in Cyber Security (WiCyS), has taken that approach in her current role and indeed throughout her career.
She says she works on building relationships across all tiers of her organisation as well as educating C-suite colleagues about security issues. “You want to peel the curtain back a bit and give the right level of details,” she explains, saying that such an approach has helped the executive team understand security requirements in terms of business risks.
As a result, she says her colleagues see that “we’re all working toward the common good” which in turn means they trust her to make the best choices for the organisation as a whole, not just the best choices for the security function.
Rowe has seen that trust pay off. She cites her ability to get executive support in 2019 to strengthen certain pieces of the credit union’s security posture, including its VPN capabilities.
“The CEO approved the funding, and because he believed in me, he didn’t question my need for this,” she says.
The executive team’s trust in her assessment that the improvements were needed allowed the credit union to quickly scale up its remote work capabilities in response to the pandemic, as the upgraded VPN proved capable of handling the increase load.
“Trust,” she adds, “gives you the ability to influence those decisions that affect the entire business.”
The value of trust
Current conditions also have highlighted the need for CISOs to build trust among employees, partners and consumers as they’ve all experienced pandemic-related shifts, while at the same time they’re seeing more reports about big cyber security attacks such as the July hack on famous Twitter accounts.
Make no mistake: Everyday people are paying attention.
“People are recognising more and more the amount of their data held by the companies they do business with and even the companies they don’t directly do business with. And more and more people are understanding the risks involved in that, not just the benefits,” says Steve Berez, a partner at Bain & Co. and a founder of the firm’s Enterprise Technology practice.
“So broadly the CISO’s job has a great deal to do about trust and creating trust that the data provided to the company is secure. That’s probably the most important role of the CISO today.”
CEOs have gotten the message, as most now believe that building and maintaining trust with their stakeholders is critical for success in the digital era. PwC found in its 21st Global CEO Survey that 87 per cent of global CEOs were investing in cyber security to build trust with customers.
“With the digitisation of the economy, we’re realising just how important trust is,” says Sean Joyce, a Principal in PwC’s Advisory Practice, where he is the U.S. and global cyber security and privacy practice leader.
From selling point to social mandate
Joyce sees an organisation’s ability to maintain security and privacy as a selling point to customers as well as to employees, business partners and its own leaders.
He points to his own online bank, which deployed a security feature that recently blocked an unusual purchase he was making (a paddleboard outing), sending a text to him at the same time asking him whether he wanted the bank to authorise the sale. Such capabilities distinguish it in the market.
“That’s what CISOs are doing, and they’re using it to differentiate their brands,” he adds.
In fact, PwC’s Digital Trust Insights Pulse Survey Findings 2020 listed trust as one of the key elements that CISOs must deliver to their organisations, recommending CISOs bring “imaginative ways to improve security, resilience and trust, while helping to contain costs by being a good steward of the cyber security budget.”
CISOs may not have much of a choice but to do so, as society is increasingly mandating this “digital trust,” says Benjamin Wright, a Dallas-based attorney who focuses on technology law and serves as a senior instructor at the SANS Institute.
“Society is passing laws and implementing rules that say, ‘Here are the complex requirements we expect you to meet, and you will be punished if you don’t meet those requirements and secure this stuff,’” he says.
The California Consumer Privacy Act, which went into effect in early 2020, is a case in point, but it’s not the only one. Other states, including Maine and Nevada, have also enacted data privacy laws while still others have introduced legislation. Those follow the European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018.
A new mission for CISOs
Cultivating digital trust may be a struggle for many, however.
KPMG’s The New Imperative for Corporate Data Responsibility found that 68 per cent of consumers surveyed don’t trust companies to ethically sell personal data; 54 per cent don’t trust companies to use personal data in an ethical way; 53 per cent don’t trust companies to ethically collect personal data and 50 per cent don’t trust companies to protect personal data.
And the 2018 Digital Transformation Index, a survey of 4,600 business leaders from 40-plus countries conducted by Dell Technologies in collaboration with Intel and Vanson Bourne, found that 49 per cent “worry their organisation won’t prove trustworthy in five years.”
Experts say those worried organisations continue to see security as an impediment to speed and growth because they don’t have faith that their security functions are aligned with the organisation’s growth, says Brian Haugli, a partner and co-founder of the advisory firm SideChannel Security and a former CISO.
As a result, their CISOs are often locked out of early-stage strategic discussions and instead are looped into initiatives only in the later stages—when security is harder to integrate.
Meanwhile, Haugli says these same CISOs may not be prepared to take on the task of building trust. They may not yet see themselves as business enablers, key advisors and strategic partners but rather still see the role as being about technical oversight and delivering a block-and-tackle security program.
Experts, however, stress that leading CISOs have already embraced the concept of trust as a deliverable and indeed are making it the central theme of their entire security function.
That’s the approach taken by Khawaja, the CISO of Highmark Health. He identified trust as the epitome of what he and his security team do and actually declared as much when in early 2019 they rewrote the security program’s mission statement to better align with the company’s strategic vision.
The old mission statement spoke about security’s three business objectives—compliance, privacy and efficiency. The new vision statement reads, “Our vision is a world where people unequivocally trust their information is safe.”