In early April, Wall Street’s oversight committee announced that bank’s oversight of cybersecurity measures at outside firms it does business with remains a work in progress, at best. It cited a survey of 40 banks that found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers.
Fewer than half the banks surveyed by the committee said they conducted regular on-site inspections to make sure the vendors they hire – like data providers, check-processing firms, accounting firms, law firms and even janitorial companies – are using adequate security measures, the report said. About half require vendors to provide a warranty that their products and data streams are secure and virus-free.
“Benjamin M. Lawsky, New York’s superintendent of financial services, whose office began surveying banks on digital security in October 2014, said the responses showed financial institutions need to do more to keep tabs on the outside firms that have access to their networks,” said a Wall Street Journalarticle on the topic. “Over the last year, financial regulators nationwide have increasingly focused on steps taken by banks and financial firms to not only safeguard their own networks, but to ensure the outside firms they use are adequately protected as well,” the article said.
A separate Forbesarticle by Betsy Atkins, titled “Why It’s Time For a Board-Level Cybersecurity Committee,” reported that up to $21 trillion in global assets could be at risk from cybercrime. “As digital security breaches escalate, corporate boards should be aware that providing oversight on cybersecurity risks is part of their fiduciary duty. Boards should form a dedicated cybersecurity technology committee that may require new candidates with computer security backgrounds,” Atkins wrote. “The board also should require management to present their policies on cyber security in written form in terms of security practices, standards, and protocols for responding to security breaches. The board also should be able to identify the manager responsible by title, and in what timeframe they are to respond to an intrusion. In the event of a cyber-breach, the board should schedule an update from the security committee on any forensic review. The company may need to disclose any data breach in SEC filings if the breach was material. Courts consider failure to disclose a cyber-attack as a ‘material omission,’ according to some interpretations of new SEC guidance on disclosure. In addition, the board should work with the general counsel to determine the extent to which existing directors and officer’s insurance coverage provides protection, and identify what issues should be overseen by the CIO, the board, or board/committee for action and/or approval.”
What does all of this mean? It’s an opportunity for you, if you are not already doing it, as CISO or CSO, to be the bridge connecting the two worlds of business and security and to be “customer facing.”
Possibly one of the biggest hurdles for some CSOs and CISOs is to understand they’re no longer the practitioners. The good ones realize this, and use their understanding of the security world to talk to their customers, to understand what they need and why they need it. Then they translate this to fit in with business objectives and explain it to the C-suite, to employees and to customers. By bridging these very different worlds, CSOs and CISOs can ensure that security has a seat at the “Customer Facing Board Table,” and keep security baked into the core of business driven decisions.
Depending upon your enterprise, your customer can take many shapes and forms, as seen by Dave Tyson, Senior Director, Information Security, at S. C. Johnson & Son, Inc. in Racine, Wisconsin, who has had the opportunity in several roles to be customer facing. His customer facing CISO role is one of “A relationship with business partners, including a growing and expanding field of vendor security, which entails evaluating and providing a high level of assurance that with that relationship, there is an appropriate amount of security,” he says.
Tyson, who is also the 2015 President of ASIS International, the first CISO to lead the organization, was previously CISO at Pacific Gas and Electric, the first power utility in the U.S. to develop and deploy the smart grid. “At the same time, people started to ask questions about the safety of the grid, so the California public utilities commission launched an investigation into the security and usability of smart meters,” he explains. “As the CISO, I had to publicly give information to convince the regulators that consumers were safe. It was one of the first times that a CISO was in front of a customer speaking publicly about a security issue.”
At eBay, where Tyson was Senior Director of Infosec Operations, he regularly engaged with other business teams, he says, in addition to using the public and eBay customers to identify risks to the enterprise. “Those are examples of how a CISO has to stand up in front of the public and do things differently now,” he says.
“The financial services industry is taking a battering right now [in the public eye],” he says. “I tend to come to their rescue and say that they are also the most under attack. While I was at eBay we got attacks all of the time, so when you are the proving ground for new attacks, you have to be at the top of your game. And the CISOs who are not necessarily in front of the public, they are still working hard every day to protect their customer’s investments.”
Tyson adds that around the world, many Board of Director teams now have what some refer to as their “designated geek” who “understands the technologies speak; a senior leader on the team who can ask the right questions of management so as to provide appropriate Board-level oversight of cyber risks. When I was at eBay, I was seven levels from the president of the company, so I had to rely on my CISO for that. When I was at PG&E, I could directly speak to the CEO and tell him my concerns. As CISOs and CSOs we are on a continuous journey to become real business partners and have a ruthless focus on business priority.”
The “Grow Guy”
Robert A. Messemer, Chief Security Officer at Nielsen, the world’s leading global consumer measurement company consisting of 40,000 employees and operating in more than 100 countries, was appointed the company’s first-ever CSO in 2007. His experience of customer facing within Nielsen is that: “The CSO/CISO role has always been an evolving role. As the business grows and matures, so must our role as a key leader to positively influence top-line growth.”
“Irrespective of our business, clients are more focused on cybersecurity than ever before,” Messemer explains. “No one should be better qualified within an organization to directly address these concerns both internally and externally than the CSO.”
For Messemer, close collaboration with business leaders positions him CSO to act as a trusted advisor on a broad spectrum of strategic risk issues, to include addressing client concerns for data protection and privacy. “In this way,” he says, “the business leadership perception of the CSO shifts positively from being perceived as the ‘No Guy’ to the ‘Grow Guy.’ Our senior business leaders, particularly in new business development, marketing and client service value my direct engagement with our clients, especially because it demonstrates our deep commitment to data protection and privacy concerns.”
Michael Couzens, VP & CSO at Baker Hughes, Enterprise Security, says that a number of corporate security teams still focus to a great extent on their internal customer and overlook the needs of the company’s external customer.
“There have recently been some well publicized security breaches where customer data may have been compromised or stolen,” he says, “and it is against this backdrop and a growing awareness of security risks that customers are rightly starting to ask more probing questions about the security their partners, vendors and suppliers provide. Increasingly security has become marketable and a competitive advantage. Companies need to able to give assurances about security, confidentiality, privacy, resilience, integrity and availability. A strong customer focus can be a significant contributor towards overall success and involves ensuring that all aspects of the company put its customers’ satisfaction first. The company that best anticipates, understands and exceeds customer expectations, in this respect, stands well positioned to gain market share.”
In this regard, the role of the CSO at Baker Hughes, he says, is to play a key part in building trust, transparency and confidence. The CSO has to be able to bridge between the business, the customer, vendors and regulatory authorities. Just as elsewhere in the business, they need to be customer-centric, focused on service delivery, execution, quality and reliability and customer satisfaction. Being visible and willing to talk openly about security and the value an enterprise places on security provides reassurance. “The CSO has to be prepared to meet with the customer, to listen to their requirements, solicit and act upon feedback and, seek to add value beyond the immediate terms of the contract or service being provided. It is worth asking yourself how well attuned are you to the voice of the customer and how easy is it for them to have their voice heard,” he says.
At Baker Hughes, one example of where Couzens and his team have developed excellent customer and vendor relationships is by collaborating on crisis management training and exercises. This has helped forge strong relationships, build trust and better prepare the organizations involved, for any future crisis, he says. Other areas where collaboration has improved the customer experience has included incident management, product design and integrated security solutions. “We have also been willing to share our knowledge and assist other security teams develop their policies, processes and systems,” he says. “Security is not just an add-on but a differentiator and marketable. Providing a trusted service can contribute towards significant revenue generation,” he explains.
Just as Couzens and his team seek to surpass their customers’ expectations, he says he expects the same from vendors. “Security partners should not only have a good understanding of our business but also the primary risks we face and the prevailing market conditions,” he says. “A mindset of enabling and contributing towards the success of the client is fundamental. There needs to be an open dialogue so that both sides can optimize the relationship while recognizing any constraints that may exist. There is merit in working together to collaborate on services and products for longer term benefit and to develop solutions for shared challenges. Like many others, within our contracts we set ‘stretch’ KPIs and meet regularly to discuss performance. We’ve considered including penalty clauses and incentives but have yet to fully introduce these, recognizing that security is a combined effort with shared responsibility for performance.”
Dave Komendat, CSO at Boeing, says CSOs need to be engaged with the business leaders within their company. The first dialogue you have with a key management official should not be as a result of a crisis. Engaging early and often to make sure that there is a known and trusted relationship is key. My team strives to be customer facing, he says. “The leadership team shouldn’t have to reach out with questions; they should already know the players, processes and procedures in advance.”
For example, during the April 2011 earthquake in Japan, Komendat says he happened to be awake around the time the earthquake struck (2:00 a.m. PST), so he immediately got in touch with senior leadership to assure them that he and his team were not only aware of the situation, but were already in the process of contacting Boeing employees in the country and employees in route to determine their health and the safety and of their families, and that he would be back in touch within two hours with an update of the situation. “That initial contact showed leadership that we were already engaged, and it gave our Crisis Management team the time it needed to fully assess the situation and the impact to our employees and operations in-country.”
John Imhoff, CSO at EY (formerly Ernst & Young), has worked specifically with procurement staff at the firm to ensure that language in contracts ensures that “key vendors are not exposing us,” he says. “And that happens at several levels. For example, Security has been involved in the designing of business continuity clauses for contracts to ensure that there is substance behind the words. Thirteen years ago when I started with this organization that was not the usual practice; it might have happened, but now, everyone is looking for that. There has been an evolution over the course of my tenure here.”
Imhoff is also partners with the company’s IT and privacy team to employ a platform used to respond to customer queries to inform of the company’s own business continuity, cyber physical security and privacy practices, to ensure regulation and implementation.
Frankly, with regards to the company’s vendors, Imhoff says “when a service is critical we are big enough to do business only with reliable partners, so if a key partner doesn’t have the standards that we need in terms of their own resilience and internal controls, we will walk away. We can influence downstream, and we do that quite often.”