As NHS Digital begins the search for a new chief information security officer (CISO) after the surprise resignation of Robert Coles, our cybersecurity columnist Davey Winder muses on what qualities the recruiters should be looking for.
The surprising news that Robert Coles is stepping down from his position as NHS Digital’s chief information security officer (CISO) after just three months in the job has left many cybersecurity experts scratching their heads. After all, the process of searching for the right person for the job began way back in June 2017 and Coles was a perfect fit: a 30-year career in the field, a former CISO at both the National Grid and Merrill Lynch, not to mention his previous role as security chief at GlaxoSmithKline.
We must accept that the resignation of Coles was for personal reasons as stated, so I’m not prepared to speculate on that particular hot potato. What I will do is turn my mind to the question of what makes a good CISO.
Coles himself gives us the biggest clue as to the role of an effective CISO in the statement he made when his resignation was announced. He spoke of “the commitment to improving cyber resilience across the health and care system” and “the very talented and passionate cyber security team at NHS Digital” before finishing with best wishes for everyone involved in “building greater cyber resilience in the NHS.”
A clarity of thinking and risk mitigation
Heading up the strategic response to the many cybersecurity issues facing the NHS was the broad-brush job description for Coles, but managing both that ‘talented team’ and cyber risk within a notoriously difficult healthcare ecosystem were his real tasks at hand.
In this regard, the role of a CISO in the NHS is not very different to that of any other. It’s all about combining a clarity of secure thinking with managing people and resources to mitigate the risk to data, devices and services as best as is humanely possible.
Truth be told, it’s not a job I would relish at the best of times – not least as a good CISO must be able to bring the rest of the c-suite on-board with the best strategic responses to security risks that face the organisation. It is a huge red herring to think a CISO is focused on technology. Nope, the real focus is on embedding a culture of security within whatever organisation they are working for. That culture needs to be ingrained from the bottom to the top and, unfortunately, it’s at the upper reaches where things usually start falling apart.
Can’t do it alone
I have made the argument more than once that the business realities of dealing effectively with the threat landscapes of today require an ever-closer relationship between the chief financial officer (CFO) and the CISO. After all, without the money to enact the best security strategy, the CISO’s hands are tied. And without properly understanding the financial impact of the security risks faced by the organisation, the CFO is equally hamstrung when it comes to balancing the books and delivering value.
I wouldn’t go so far as to suggest that the CFO and CISO roles should merge, but they do certainly need to be joined at the hip if we are ever to move on and start winning the battle against the bad guys.
But the CFO isn’t the only executive who needs an understanding of security issues. So too does the chief executive. Yet all too often neither the CEO or CFO understand security issues enough to be able to rationalise the recommendations from the CISO, while at the same time either shifting the blame onto them when a breach occurs or withholding the funds that would have prevented it in the first place.
Individual resilience needed too
All of which brings me back to where we started, with the resignation of Robert Coles and the challenge facing whoever replaces him as the head of security at NHS Digital. Building cyber-resilience might be a key responsibility of the role, but the individual within it must be uber-resilient to discharge it. Given the vast experience that Coles has of wearing the boots and walking the CISO walk, I doubt that pressure played any part in his decision to quit.
Having that resilience is only possible if they are fully supported by their c-suite colleagues as well as anyone in government who is in charge of the chisels required to carve any security strategy in stone.
My experience of the breed, and I have called many a CISO friend across the years, is that they will not shirk their responsibilities and accept that the buck stops at their desk if a breach occurs on their watch. That doesn’t, however, give everyone else a get out of jail free card: the entire executive must be on-board with a security strategy, and trust the CISO to deliver upon it with their help. If that isn’t already the case at NHS Digital, then I suspect that Robert Coles won’t only be the first CISO, but also the first of many.
23 January 2019 @ 13:07
Some key factors here:
1. CISO is /was seen as a convenient scapegoat for many times /after various incidents. Search for ‘CISO scapegoat’ .
2. A key factor would be the collaboration with other C-suite form the table, including funding for implementing measures (training, audits etc.). Given that the healthcare organizations don’t particularly pay attention to cybersecurity, there is a good chance of facing a mismatch between funding and prospected needs.
3. Another very important factor: the success of your program depends heavily on the human factor. Let’s look at one simple aspect: how the users manage their passwords. Typically. the personnel is busy, stressed out; they don’t have enough time for being instructed in that area, they focus on patients and medical procedures, and that’s perfectly normal. Given the activities in the past years of many hacking groups in this area, this could equate to frustrating, never ending stories…