With all the chatter of cybersecurity these days, the Chief Information Security Officer (CISO) is certainly garnering a lot of attention. Needless to say, CISOs have a great responsibility of identifying vulnerabilities in their enterprise IT strategy. CISOs have to lay out a clear strategy of remediating these cybersecurity vulnerabilities before it’s tool late while simultaneously boosting IT productivity and let’s not forget, reducing capital expenditure (CAPEX) and operating expenditure (OPEX). However, this post is LESS about CISOs.
With increasing regulatory oversight and spot audits in industries like financial services, it concerns me that the role of Chief Compliance Officers (CCO) are NOT talked about all that much or, as I like to call it Chief Information Governance Officers (CIGO). Navigating through regulatory land mines, chief compliance officers bear the burden of managing risk by balancing regulatory policies with daily operations of a firm (and without adversely effecting firm productivity, of course). Needless to say, the cross-functional nature of the role spreads from regulatory affairs to cybersecurity enforcement to social media compliance. Well, it goes without saying that TIME is the scarcest resource on their planet. With manual checklists, excel spreadsheets and lot’s of paperwork involved, the role is akin to certain personality attributes like attention to detail, superior time management, multi-tasking ability and a keen sense of intuition. And, let’s not forget - stress management.
While many firms have functional roles that include a chief compliance officer, chief operating officer, chief technology officer, chief information security officer, chief risk officer, VP of regulatory affairs etc. The smaller firms can’t afford that luxury and therefore one spirited individual in the management team is assigned the task of handling these tasks, in most cases. Needless to say, the role of the compliance officer is challenging by itself and routine context switching creates cognitive dissonance for the common person. While it’s true that CIGOs have the challenge of working in the shadows but it’s keeping the firm compliant and out of the newspaper is their reason for being.
Let’s look at the task of drafting a cybersecurity policy framework for a firm and some of the challenges with this specific activity for CIGOs. Again, this is a crucial activity for most firms and CIGOs have to work with legal teams as well as their IT staff to draft a policy that addresses regulatory requirements and captures the existing information flow at their firm. A number of critical challenges come up. For instance,
1. Compliance Officers and IT teams speak different languages: As a pseudo-IT person myself, i can safely say that IT teams tend to live in a world of putting together a bundle of “best of breed” products to secure a firm’s infrastructure. However, with this comes quite a bit of complexity. Highly effective IT teams produce volumes of log and security event data from their favorite Security Information and Event Management (SIEM) tools. However, someone then needs to translate this data in to plain english for consumption by mere mortals or in this case, compliance teams and senior management. Guess who get’s the task of driving this?
2. "Compliance is NOT cybersecurity": Many technocrats propagate that compliance is not the same as cybersecurity (Translation - compliance is “basic" existence while cybersecurity is a much "higher state of being"). While this may be true, it's the subtle undertones of this comment that i take issue with. Let me explain- If compliance does not equal to cybersecurity solutions then that would mean that any good and efficient cybersecurity program would automatically encompass all that a compliance team needs, as a consequence. So, let’s take a simple example - A regulator or compliance officer asks an IT manager to pull up the last 10 WiFI networks each of the firm’s employee’s had connected to from their laptops in the next fifteen minutes. That would be easy, right?
3. Policy enforcement checks and automation: So, a cybersecurity policy framework is drawn-up but now on to the hard part. How does a CIGO put a process in place to ensure continuous compliance? No firm wants to see a cybersecurity compliance manual that is out of date, or worse not followed. Again, whose responsibility is that? Do you rely on employee or IT teams self-reporting? What proof exist to substantiate the firm's compliance claims?
4. Education and Security Awareness: CIGOs have to ensure that the staff is in complete agreement with the policies and stay compliant. Let’s face it, cybersecurity is a dry subject for most business people. Its a "non-revenue" generating activity and who’s got time for that?! Again, the CIGO has to ensure that everyone takes time out of their busy day to understand all the policies and agree/sign-up to follow it.
5. Contingency Planning and Incident Response: It’s great to hope for the best but planning for the worst is the daily mantra for most CIGOs. Putting together a contingency planning and incident response protocol is no easy task either. It requires firms to keep up with regulatory and client reporting requirements as well as ensure that the firm has a team of resources on ready five to assist with damage control.
Sid has over fifteen years of software and hardware technology expertise spanning cyber-security, enterprise cloud infrastructure and software applications for financial services and other regulated industries. Sid led a program to accelerate Suite B cryptographic algorithms in hardware as specified by the National institute of Standards and Technology (NIST) and as used by NSA's Information Assurance directorate in solutions approved for protecting National Security Systems (NSS). While studying at Berkeley, Sid worked on software projects involving foundational internet and open source protocols widely used today to connect servers on the web, deliver email or transfer files securely and efficiently. Sid holds dual bachelor of science (B.S.) Degrees in Electrical Engineering and Computer Science from UC Berkeley.