CEIOs can provide a level of intelligence to cybersecurity that currently isn’t there
Historically, C-level executives haven’t been involved in their organization’s cybersecurity efforts. Even now, with the number of high-profile data breaches, the rise of DDoS and ransomware attacks, and threats of fines for not meeting privacy compliances, the C-suite continues to be estranged from cybersecurity. A recent study from Deloitte found that just 38 percent of executives, as well as only 23 percent of board members, are “highly engaged” in their company’s cybersecurity.
This number is even more surprising when that same survey revealed nearly all of those surveyed, 96 percent, said they expect their company will fall victim to a cyberattack in the next couple of years. Yet, they are doing little to update their security systems to meet the evolving threat landscape.
Why such a disconnect? C-suites understand cybersecurity is important, but they don’t know where to start, said Paul Kurtz, former White House National Security Advisor and CEO of threat intelligence platform TruSTAR. “Executives who make decisions about business risk management are having a hard time integrating cyber-risk into existing frameworks.”
Taking an Enterprise Approach
Kurtz thinks the way to engage corporate leadership is to reframe the way organizations have traditionally thought about cybersecurity. In most companies, cybersecurity is an IT issue. Instead, security should also be treated as an enterprisewide risk management issue so cyber intelligence can be managed across the entire organization.
This approach calls for the addition to the C-suite team, a Chief Enterprise Intelligence Officer (CEIO), a position that requires skills ranging from establishing priority intelligence requirements and integrating with appropriate internal tools to curating data to ensure output is actionable.
“You can define the role of an Enterprise Intelligence Officer as a leader who creates business value from intelligence,” explained Kurtz. “They are in charge of setting intelligence collection requirements, managing multiple intelligence sources, and working across multiple business divisions to architect security workflows while maintaining governance and control.”
The CEIO is responsible for orchestrating the secure aggregation of data from different business units, ranging from fraud and abuse to physical and cybersecurity. This data then can be correlated with relevant data from a variety of external sources.
“We have seen several organizations mandate the creation of Fusion Centers to bring this data together under a senior official responsible for fusion and analysis,” said Kurtz. For example, one financial services company hired a senior executive from the U.S. Secret Service, who brought the skill set to ensure data is fused quickly and output can be quickly operationalized across the company to maintain security.
Privacy and security are integral to intelligence management and fusion, Kurtz added. Data must be fused while respecting privacy. Permissions, access control and encryption are critical. The requirements for these areas will be unique to individual departments within the organization. The CEIO will bridge those differences to improve overall security. Ideally, the CEIO will improve security in three ways: first, by expediting the investigation and resolution of suspicious events; second, by ensuring that the organization is accounting for all relevant data that may bear on an event; and third, by enabling you to more easily operationalize external data from ISACs/ISAOs and commercial threat intelligence providers.
Finding the Right Person to Fit the Role
Your CEIO should have substantial experience—Kurtz suggests at least 10 years—in setting priorities, encouraging organizations to collaborate and delivering actionable intelligence insights. Candidates who best fit the requirements most often are found within the military and intelligence community, as well as leaders from the private sector who have experience in integrating and extracting value from disparate data sets.
While cybersecurity expertise is helpful, it is more important to have a CEIO that is driven by providing actionable results consistently.
How do you know if your organization should hire a CEIO? It depends on how you answer these four questions:
- Do you have a clear set of intelligence requirements?
- Are you looking to fuse intelligence across the organization?
- How is intelligence or other data being used within the organization and what is your optimal goal?
- Who is responsible for cyber-intelligence today and is it appropriately aligned to your enterprise risk tolerance/governance?
“Executives must have a clear sense of what is most important to the business,” said Kurtz. “As a metric, ask your security stakeholders how much time it takes to investigate a suspicious event to determine whether or not it represents a real problem. We have found that those companies that fuse their own data first, before turning to external resources save time and other resources.”