Rise of the CISO

They come from different backgrounds: some have experience as technologists, while others made a name for themselves on the business side; they are former risk officers and auditors, and hold degrees in economics or art. Some have even spent time in the military or law enforcement. They are chief information security officers (CISOs). 

While on paper this group might seem a random bunch without any thread to link them together, there is one thing they all share: across the industry, these men and women are receiving more face time with their firm's executive board as their position rises in prominence on both the buy and sell side.

As reports of cyber attacks across the capital markets have become an almost monthly occurrence, senior executives are growing increasingly aware of the importance of the people tasked with ensuring their company's information and systems are secure.

What used to be a job requiring an annual meeting with the board to gain approval on new security programs has evolved into a position that often has a direct line to the top executives in the company.

"The amount of time the CISO spends with senior management and the board has increased exponentially," says Mark Clancy, CISO of the Depository Trust & Clearing Corporation (DTCC). "I now do a large number of board presentations, whereas five years ago it was 15 minutes once a year."

Tipping Point
There was no precise moment when the entire industry mutually agreed upon the importance of the role of the CISO. Like most things in financial services, it was initially a slow process, eventually coming to a head when enough firms decided that pawning off security responsibilities to the chief information officer (CIO) or head of infrastructure was no longer a reasonable option.

Some, like Clancy, say a 2010 hack into Nasdaq's system was one of the first wake-up calls. The attack showed hackers were interested in infiltrating more than just retail banks, which house boatloads of personal identifier information (PII) and are considered by many, albeit incorrectly, to be the goal of most hackers.

Others point to Iran's attack on US banks in 2012, which was carried out in response to Stuxnet, a cyber attack by the US and Israel on Iran's nuclear program in 2010. While the denial-of-service attack did not have a serious impact on the industry, the breadth of it showed the bar had been raised. Nation-state cyber criminals, unlike the average hacker, were neither sloppy nor disorganized.

"That was when the banking industry recognized that nation-state cyber-security activity was potentially in the crosshairs for the private industry," says Jim Routh, CISO at health insurance giant Aetna.

"Nation states have higher-skilled cyber-security professionals, and they have resources and deep pockets, and are willing to invest. That makes it somewhat different from fraud-orientated crime syndicates, which is typically what has been the primary threat for banks. When nation states get involved, the sophistication and maturity of the information security controls have to be at a world-class level because they have world-class talent," he adds.

Compounding this issue is the fact that all of these incidents were being publicly reported by media outlets around the world. Hacks were not only being discussed at private industry conferences, but were front-page news in The Wall Street Journal and The New York Times. This meant that even those who weren't plugged into the industry were aware of the increased threat posed by cyber criminals.

"I believe the massive amounts of news media coverage of breaches during the past few years, especially with the advent of nation-state hacking, has created a tipping point," says Bob Ganim, CISO for Neuberger Berman, an asset manager with $250 billion under management. "Breaches are not just something being discussed in the boardroom-they are a commonplace topic of discussion as your family sits down for their Thanksgiving meal."

They Come From All Over
While the rise of CISOs in the financial services industry is undeniable, what makes a good one is still open to debate. There is no secret source of degrees or experience that makes the ultimate protector of information security. Years ago, CISOs were traditionally pure technologists. Now, firms have adapted their approach in selecting the leaders of their information security.

One trend is to hire people with a background in law enforcement or the military. Some, such as Routh and Ganim, do not have an opinion on whether the military route is a good or bad thing. Others, like Clancy, say only a limited number have been named CISOs since they lack a business background. More often, they can be found in secondary security roles at capital markets firms.

Todd Scharf, CISO at the US Securities and Exchange Commission (SEC), spent more than nine years as a commissioned officer in the US Navy. He says it was a learning curve before entering the civilian world. However, those who come from the structure of the military bring their own set of abilities that are beneficial, such as being able to make fast decisions.

"We moved things along very quickly in some areas, much quicker than the organization was used to, and it was because we really didn't dilly-dally around," says Scharf, who worked at General Electric (GE) and the Financial Industry Regulatory Authority (Finra) before joining the SEC in 2009. "When we had enough information to make decisions, I made them. We got the support and we moved on."

All the CISOs interviewed for this article agree there is a growing requirement in the field to be able to address the board. Ganim says the CISO has to relay their message top down and bottom up, relating to both the back-office programmers and top-level executives.

Routh adds that it is a matter of speaking in business terms. "They need to simplify cyber security so the board and team members can understand the implications," he says. "That's a communication skill that wasn't necessarily in the standard toolkit for CISOs a decade ago-it is today. I would say it's one of the key differentiators for being successful today."

John Masserini, CISO at Miax Options exchange, says that while being able to speak to people on the business side is a necessity, at the end of the day the CISOs need to have core knowledge of the technology being run by their firm.

"It's far easier to teach a technical person how to speak business than it is for a business person to understand packages and bytes," he says. "They don't have to be a geek, they don't have to be a nerd, but they have to understand it."

Clancy says another crucial component is being a generalist. With the number of issues a CISO needs to deal with, it is more beneficial to a firm to have a person well versed in all disciplines than an expert in only one.

Blackstone CISO Jay Leek cites the tagline of an email he received from a correspondent in the early 2000s that speaks to how he approaches cyber security. "Without security there'd be no business; without business there's no need for security-find the medium," the signature read. The quote touches on the importance of balancing responsibilities.

"I generally prefer an entrepreneurial, business-first perspective that still maintains security as a top priority," Leek says. "As a CISO, at the end of the day, you just have to do the right thing for your shareholders and investors to make money."

Straight to the Top
Finding a balance between a secure system and one that allows the business to flourish is the type of thing CISOs must understand when addressing the board. Those meetings with upper-level management need to occur constantly, according to many of the CISOs interviewed for this feature. Many claim the person a CISO reports to is of vital importance. A direct line to the board will significantly affect how well a security plan is received and implemented throughout the company.

"If you have a CISO report to somebody deep down in the IT organization, you're not going to have the impact and change in the behavior of the company in a meaningful way to reduce the risk they clearly face," Clancy says. "If you report to someone at the top level, that top-down approach will set the tone. Tone at the top of the company puts a lot of things in the right direction."

Routh, who served as a CISO at KPMG, the DTCC and American Express before joining Aetna, disagrees with Clancy. At these four firms, he reported to several people and never experienced any restraints. While it might have mattered a decade ago where a CISO sat in the pecking order, Routh believes there is too much interest in a firm's security nowadays for him or her to go unnoticed by the executive board.

"Today, the senior business people are the ones pulling the CISO in-a CISO, therefore, has no choice but to respond to requests for the higher level of engagement across the business," he says. "The business leaders are asking for that. They're demanding that. It's not like we have to get an invitation. It used to be that way, but not anymore."

Know What to Protect
So what exactly occurs during board meetings between CISOs and executives? The CISOs appearing in this article say their biggest responsibilities are a combination of knowledge of the business and the ability to prioritize their firm's assets. It doesn't matter how big the security budget is if it isn't allocated to the right areas.

"You have to know where the most important assets are," Clancy says. "What are the core things that make your business work? What are your structural advantages? What are the important functions you perform, and where is the data and infrastructure that makes that tick?"

As one CISO at a hedge fund with more than $10 billion under management puts it, it would be easy to implement extremely restrictive security controls to protect the business, although by doing so, he would be likely to impinge on the abilities of his portfolio managers to make money.

"You have to find that balance that allows the folks who generate revenue to continue to generate revenue while protecting them," the hedge fund CISO says. "It really comes down to understanding how the firm operates, how we need to operate, and being able to design new controls in a manner that maximizes their efficiency and effectiveness while not impeding the business."

Routh argues that it goes beyond that, saying a CISO has to build security programs that are agile enough to change with the times. At Aetna, a daily risk score for the entire enterprise is calculated based on threats, vulnerabilities and the geopolitical landscape. Resources are then allocated depending on how the score has gone up or down in different categories. The fluid results mean Routh switches the prioritization of his project list quarterly and sometimes even monthly.

"We have to consistently adjust our controls to how the threat landscape changes and that happens rapidly," Routh says. "That turn-on-a-dime adjustment is the new norm."

Still Not All There
Despite the interest in information security, there are still those who are skeptical of CISOs and the role they play within capital markets firms. Large banks have seemingly always been at the forefront of information security, and rightfully so, as they often hold the most PII of all the branches of the capital markets. Asset managers have also become more aware of the importance of having a strong CISO in recent years.

Hedge funds, though, according to a CISO at one, have been the laggards of the industry. "Excluding the largest players that have had CISOs for years, at the medium- and small-sized firms and on the private-equity side, I have not seen a lot of CISOs," he says.

According to the CISO, the majority of hedge funds approach security with a check-the-box attitude. They simply make sure they have all the right answers on their request for proposals (RFPs) and due diligence questionnaires (DDQs). It's a security-by-appliance approach that has them buying hardware or appliances once a year to address new security threats. And while he says the industry is trending away from this, a significant number of hedge funds in the space still have that mindset.

"I see organizations that have a head of infrastructure who dedicates 30 or 40 percent of his time to security, or someone on their network operations team whose job it is to basically run their security appliances," the CISO explains. "That's not going to cut it as we move forward. Security is a full-time job. Protecting the organization is a full-time job. I hope it doesn't take an incident to get people to understand that, but I think it probably will."

 Salient Points

·As cyber attacks from nation states-and media coverage of them-have increased, the role of the CISO has risen in prominence. High-level executives are becoming increasingly interested in talking to CISOs about the threats their firms face.

·The capital markets CISO role requires a strong handle on the most important assets of the business. Being able to prioritize where the security budget needs to be allocated at a firm is vital.

·There is no prototype for the perfect CISO. Opinions differ regarding the kind of background they should have. The one thing all of those interviewed agreed upon is that a CISO must have the ability to communicate effectively in business terms.

·Despite the growing number of CISOs in the industry, some firms-especially medium- to small-sized hedge funds-are still reluctant to invest in information security.