Many years ago, a board member said to me, “We’ve employed you to do information security, so why do we have to do anything?” This was fairly typical. My experience in the past has been that information/cyber security professionals have often been relegated to giving advice on the threat landscape and risks, and then futilely lobbying the board for visibility and resources to put appropriate controls in place.
In 2019, that attitude will finally, and permanently, change. Instead we will see organisations start proactively approaching information security experts for actionable advice and guidance. And rather than fighting for a seat at the table, information security leads will be given one without even asking. The CISO will get a seat at the boardroom table in businesses across all sectors. The price of this new visibility will be utility; only actionable, relevant, timely and understandable intelligence will enable a CISO to keep that seat. A key message which the CISO will have to drive to the board is that breaches are inevitable; good security is a balancing act between too much and too little security, and the board is responsible for defining their organisation’s balancing point.
Of course, we know that a key driver for this change will be the pressure that GDPR has introduced into business, not least due to the fines that can be levied on companies which have been breached, or which have failed to comply with the Regulation. I think we are likely to see the first tranche of breach-related fines announced in June 2019, which will set the scene for business strategies and priorities thereafter.
I’m going to go out on a limb and predict that we’ll see a couple of significant fines to set the tone; maybe 1% - 2% of global annual turnover (not the maximum of 4% just yet - the regulators will want to leave themselves room to up the ante) applied to household names. These will, of course, be appealed by the companies affected, so the actual fines will not be confirmed until 2020. Once the likely levels of fines are clear, any businesses which are not yet governing their information risks at board level will reassess their approach. Being able to demonstrate due diligence will be increasingly understood to be the best way to reduce the chance of a breach, and to minimise the chance of a fine should the worst happen.
The role of CISO must be integrated with the other heads of business - especially with HR, as user education is one of the biggest factors determining whether organisational information security is effective. While technology obviously enables the implementation of many information security measures, it does not prevent the resourceful from circumventing them. Depending upon the success of awareness initiatives, and the suitability of technological security measures, people can either be a major component of our protection, or a major component of our risk.
With this in mind, more organisations will take a communal approach to tackling information security, by ensuring that staff at all levels are actively engaged, and empowered to make informed decisions. The increasingly normalised adoption of personal devices and remote working will also drive this transition. As employees become more involved in the process of managing information risk and begin to embed this mindset into their everyday roles, information security will finally be understood to be our shared responsibility. But this transition in mindset can only be achieved if information security is driven from the top down; investment in appropriate technology, and fundamental shifts in policy and process, are necessary to empower staff.
Board-level ownership of information security will become the norm as we move through 2019. And it will make the difference between effective proactive security, and scrambling to deal with the fallout of a breach.