CIO Straight Talk - Issue 10 - 10

DNB's Berit Børset serves as chairman of the
board of FinansCERT Norge AS, which was
established in 2012 to facilitate cybersecurity
information sharing among financial institutions
in Norway. Five years later, as Nordic Financial
CERT, the collaboration has expanded to include
banks in Sweden, Denmark and Finland. The
banks "share information and assist in handling
security incidents when they occur," says
Børset. Leading and participating in regional
and industry cybersecurity collaboration means
that the CISOs in these financial institutions
are now seen by business executives "much
more as partners" who take part in boardroom
discussions on security, Børset adds.
Successfully presenting to the board, says
Gartner, means connecting the cybersecurity
program goals to business risks. While many
organizations continue to think of cyber-risk
solely in terms of internal network penetration
and defense, others are developing a more
comprehensive risk management strategy
that includes all digital assets-websites, social
networks, VIP and third-party partner exposure,
branding and reputation management,
and compliance.
Not a moment too soon, according to the
National Association of Corporate Directors,
which points out in its 2017 Cyber-Risk Oversight
report that over the past 25 years, the nature of
corporate asset value has changed significantly,
shifting from physical to virtual. The NACD
estimates that close to 90% of the value of
the Fortune 500 now consists of intellectual
property and other intangibles.

eMBeDDIng SeCuRITY
THROugHOuT THe
enTeRpRISe
Given the wide-ranging business impact
of cyber-risks, members of our panel are
developing and implementing specific processes
and policies to ensure security guidelines are
followed by the rest of their organizations.

10

First and foremost, security must be integral to
the work of the IT team and the development of
software applications. "Security considerations
and standards are embedded in the IT process
and there is a joint sign-off at the end," says
Cloutier. Similarly, Børset and her team "ensure
that security requirements are followed by
software developers," via close coordination.
Martino has established a program he calls
"service security primes," in which manager level
staff in different IT groups are chosen to be the
single point of contact for security escalations.
"What I get are people embedded throughout
the organization that the IT leader cares about
because they report up to" that leader, Martino
says. This results in a "stronger partnership to
make informed decisions."
Embedding security throughout the business
also means going beyond the IT group. At DNB,
each business area has its own special security
coordinator, says Børset. At Entergy, Sheikh is
using a number of governance and compliance
committees to keep "stakeholders informed
about our cyber maturity level and where we
need to continue to invest."
"It's not possible to
secure huge amounts
of data manually-we
automate whatever
we can."
Berit Børset
SVP & CISO
DNB

At Cisco, security is embedded in all business
processes, whether it's HR's handling of
employee data, Marketing's handling of customer
data, or Engineering's handling of intellectual
property. This makes "everyone accountable in
some way for the overall security experience,"
says Martino. "If as CISO I'm the only one
responsible for security, I'm going to fail because
I can't scale to all those different processes."

Organizations can investigate only 56%
of the security alerts they receive on
a given day.
CIO Straight Talk - Issue 10

Table of Contents for the Digital Edition of CIO Straight Talk - Issue 10
