For the last two years, Cybera has facilitated a Shared Chief Information Security Officer (CISO) program for its members. The origin of this program dates back to 2017, when Norquest College and Lakeland College teamed up to share a single CISO: security expert Curtis Blais, who remains the Shared CISO today.
Having a Shared CISO was a new endeavour at the time, having only just been piloted in Ontario by Cybera’s sister organization, ORION, about a month previous to Alberta’s initiative.
For this post, we spoke to Curtis about what a Shared CISO actually does, and what the benefits are for smaller institutions to bring in a part-time security advisor.
To start, what is a CISO?
A CISO is responsible for the digital security of an organization — making sure everything is in place for a functional digital security program.
And how does this role change when you’re only doing it part-time?
You certainly have to be more strategic when building an organization’s digital security system on a part-time basis. The Shared CISO is someone who uses their expertise — having done this for dozens of organizations previously — to bring all the appropriate components together, in a more formalized way.
Most organizations are already doing many of the right security things. Formalizing their program helps to ensure gaps are not missed, and appropriate actions are taken to fill those gaps. It’s sort of like having a coach alongside you to help think through things, and provide expertise in the area of digital security.
How did you get into the shared CISO role?
A couple Alberta institutions got together because they were having trouble finding the right people, with the right experience, to build their cybersecurity programs. If they found someone they liked, individually, they couldn’t afford them, and the people they could afford were too junior.
So they got together and said: “Hey, what would happen if we shared somebody?”
They talked to a recruiter, who I also happened to be talking to, and they introduced us.
I had been doing lots of security consulting already, and have to admit, higher learning was at the bottom of my list for who I wanted to work with. I saw them as having too many departments, too many needs, and too little money. But I thought this sounded interesting.
NorQuest originally organized the program, before Cybera saw this as a great fit for the kinds of offerings they already provide, and agreed to take it over.
What do you think the benefits are for an institution to bring in a CISO?
The main thing I do is advise organizations that are ready to implement a serious security plan. I support them with formalizing their programs, and building standards they can follow.
I’ve found that many institutions appreciate having that external expert to not only point out the areas they need to focus on, but also to be an authority voice that people across the organization — from the exec team to the technical staff — are willing to listen to.
I’m also mentoring their staff. These organizations often have people who are not officially trained security experts, but are interested in that area. I’ll help them learn what they need to know to take on the security management for the institution.
And the big benefit of a Shared CISO is that you don’t have to pay the full cost for this expertise.
Why is it important to have formalized security standards and processes?
Having standards with teeth gives the organization the ability to properly protect things. This is something I’ve learned through experience.
There’s the antecedent (the standard) and the consequence (what happens when the standard isn’t followed). Sociology studies tell us that the antecedent, by itself, provides about 20% compliance. The consequence, on the other hand, brings about 80% compliance. For example, a posted speed limit of 100 km/h (the antecedent), by itself, does not drive too much compliance. It’s the expensive fine (the consequence) that brings about more adherence.
What steps should an institution take before they enlist your help?
The most important thing to have in place before looking to leverage a shared CISO’s expertise would be executive support. And by “support”, I mean funding support and the desire to set organizational security standards. If you have those things in place, you have a great foundation for establishing a more formalized security program.
I have worked with a few organizations in the past where the middle management wanted to formalize the security program, only to have it diluted by upper management, to the point where it was not really improving the organization’s security maturity. It’s hard to imagine any organization not taking digital security seriously in today’s environment, but I assure you, they exist.
I recently chatted with a colleague who had been asking for funding for security items, and was constantly being denied. Then they had a rather public event. After that, there was plenty of funding to support the security items. It’s unfortunate, because it really would have cost them less if their organization was protected from the beginning.
For more information on the Shared CISO program facilitated by Cybera, contact security@cybera.ca.