A CISO SHOULD NOT BE A CRY WOLF December 15, 2016 These are exciting times for both CIOs and CISOs. As digitization grows, people seem to be more aware of the importance of cyber security too. A recent study by ISACA showed that there are 1 million job openings in security. Companies are aware. In October, the CEO of the PostNL has delivered a report to the Dutch Prime Minister, with recommendations to improve general cyber security in the Netherlands. Two years ago, ICC Belgium and FEB delivered 25,000 copies of the the Belgian Cyber Security Guide to the CEOs of Belgian companies. Communications is vital for us CISOs and CIOs to secure the required funds for implementing cyber strategies. Secure our cultural legacy That strategy is to secure our cultural heritage, our legacy. It’s a major change we have ahead of us. But we need the buy-in from the top to get the change done. Our role is to show that protection is necessary. In our previous post, AMS professor Yuri Bobbert already encouraged CIOs to make the magnitude of cybersecurity more explicit to their company’s board. He strongly advises to report on the number of attacks you face, but also on the number of viruses that you stop. The business expects that proactive approach. Cyber security as part of risk management In this whitepaper, the Antwerp Management School analyzed twelve annual reports and how IT governance and risk management contribute to the success of their organization. “When you reach that level, the discussion on the cost of cybersecurity evaporates. Board members don’t want their face in the newspapers, they want to protect their reputation”, Bobbert explained. The CIO advisory Board for the European council believes that CISOs should be under the umbrella of the Chief Risk Officer, too. That leaves us with the question: where to place the CISO in our organization? Our friends at the American National Institute of Standards and Technology (NIST) recently issued a study on security fatigue, which “can cause computer users to feel hopeless and act recklessly”. Marc Vael, president of ISACA Belgium, believes we should not overplay our hand: “People get fed-up with others telling them what they are not allowed to do. We have to be careful about how to position security. Scare tactics don’t work so let’s not become the annoying cry wolves. Security should be an enabler.” In the automotive industry for instance, Volvo is investing a lot in security by design. There’s a strong focus on safety that the technology world could embrace. As CIOs we should encourage our vendors to integrate it in the software and hardware development. Security is going through a transition to become more native, and we can help to accelerate it.