The key to Achieving Security Goals

Erik Blomberg, Senior Vice President, CISO, Handelsbanken

once upon a time, the  Swedish banks ran an  operation where the only  way to serve customers were  through branches. Customers  got their loans and their cash in  the branch. To improve access to  cash—ATMs were delivered, and  in the late 1990s, the first internet  services were launched. Ten years later, Apple released the  iPhone, and the mobile era took off, and the situation today  is totally different – banking customers now choose when,  where, and how they want to fulfil their financial needs, on  mobile devices, and in real-time. This is obviously having a  huge impact on the financial industry, but it also has an impact  on security. In the past, security was about physical protection  of staff and cash. 

IT-security initially had the same positioning—to protect,  but this is changing; protection together with detect and  respond is still key, but security is starting to be seen as a  business enabler - to deliver business value. This ties well  into the changing role as a CISO. I am in my fourth year as a  CISO at Handelsbanken, a bank with its roots in Sweden, and  now define six countries as home markets. The expectations  on me as a CISO have changed a lot since I took on this  role. Initially, it was about overseeing and implementing a  cybersecurity program, an understanding of the key security  solutions and the go to person to handle a cyber crisis. This  is still the case, but soon there was an expectancy to provide  senior management with the current cyber risk exposure, threat  intelligence should be embraced and now it is about becoming  a business enabler. 

So How to Become a Business Enabler? 

First of all, there are no short-cuts - if you are in a sector where  cybersecurity is prioritized, you need a security organization  working in a structured way, and you need an active Threat  Intelligence (TI) function to understand what you are up  against. How this is organized, that is, in-house, outsourced, or  a hybrid, is up to you.

 With this as a foundation, let us turn to become a business  enabler.

My recommended starting point is to ensure that your  high-level security goals are aligned and contribute to the  corporate goals. The key challenge is to find the correct  language, the words that appeal to upper management. One  O  good example when delivering digital services is to talk about  trust. This is probably the key value that all efforts in a security  organization are aiming for - your customers need to have trust  in your digital solutions. 

Spend some time with this - iterate your security goals and  map to business values, meet the teams working with business  development and to get inspiration, read your company’s  annual report—what is your CEO talking about?

The next step is to demystify cyber security for upper  management. Nowadays senior management has good  awareness about the potential consequence of a cyber-attack -  it is all over the media, but what does it really mean for your  company? What parts of your company is in scope, do you  have a lot of outsourced solutions and external partner, what  are the critical functions etc.

I am personally fond of the NIST Cybersecurity  framework. I usually find that the Identify, Protect, Detect,  Respond and Recover capabilities are easy to understand and  grasp by upper management. But there are obviously a lot of  other ways of putting cyber security in the context of your  company, describing it in a pedagogic way. So now you have  the values and increased awareness of cybersecurity - then it is  about how to deliver.

The choice largely depends on where in the organization  the security function sits and on corporate culture. One  strategic approach is security integration, that is, embedding  security as an integrated component in the corporate business  processes. The processes can differ a lot depending on the  sector, but looking at the financial sector where banks are  heavily digitalized there are some key processes to consider.

"The opportunity to discuss  business values has improved  the last couple of years, which  helps in initiating discussions  about business value "

 The obvious one is the development process - from idea to  launch, usually agile in its set-up. There are loads of materials  available to ensure that security is integrated in an agile world,  and this is definitely contributing toward trust.

And there are a lot of other avenues to explore, the  additional processes that contribute to the business values you  defined earlier, and the traditional techniques such as lifecycle  management and incident process through business/ITstrategy  and enterprise architecture to human resource process.  And it is also about meeting up with investor relations and  communication department, putting security on their agenda. 

The opportunity to discuss business values has improved  the last couple of years, which helps in initiating discussions  about business value. But I still think that we in the security  community need to stretch ourselves a little bit more and leave  our security jargon. This is one the key challenges for a CISO  in the near future and I am confident that if a good balance  between business needs and security in digital services can be  found the company will not only be rewarded, it is a matter of  survival

Weekly Brief

Read Also

An Alternative Approach to Cyber-Security Structure is the need of the hour

An Alternative Approach to Cyber-Security Structure is the need of...

Michael Somers, Head of Cyber Security, CVS Group
Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.