We are delighted to announce the launch of the SIRO Portal to formally create an online community for board-level Senior Information Risk Owners (SIRO). The SIRO Portal is focused on leadership and information risk in a strategic business context.
This ‘forum of trust’ is an industry first; it will enable SIROs to interact with their peers and share pragmatic experiences, knowledge and skills within and across industry sectors. Regular threat intelligence will allow SIROs to stay informed on a dynamic and increasingly complex Cyber landscape. The first phase of this exciting initiative will see personal invitations go out imminently to over 200 SIROs within our network. As we embrace new ways of working and thinking, the SIRO portal will encourage members to collaborate and support each other during a time of unprecedented challenge and beyond.
The Senior Information Risk Owner role, originally created in 2004, was refreshed and re-invigorated during the UK Government’s Data Handling Review (DHR) in 2008. The DHR enshrined the SIRO as a board-level role with a new Terms of Reference that aligned accountability and responsibility for information/Cyber Security risk based decisions. Today, we face a turbulent world and the fundamental role of the SIRO has accelerated in prominence as organisations seek to adapt culturally and operationally to new norms. Integral to this change is addressing the growing business exposure to cyber attacks and data breaches that also impact on safety, reputation and shareholder value.
Has long been an advocate of the SIRO’s leadership role and advising on the unique skills required in “owning” the information risk at Board-Level and ensuring organisational compliance through strong governance. Our world class NCSC certified course continues to provide customised training and support to hundreds of SIROs across all sectors.
Cyber attacks have increased substantially in the last few years and is a direct consequence of the growth in digital transformation. Organisations have focused on increasing their digital footprint by automating processes, implementing artificial intelligence, and holding data on multiple digital platforms. The growth in inter-connectivity of information gives opportunity for collaboration, communication and creative thinking, improving product development and service offering. The sharing of such equity is based on working within a trusted environment, conventionally well served by securing the digital infrastructure with robust Cyber technologies.
Chief Information Security Officers (CISO’s) have traditionally worked well in managing the Cyber Security environment. However, the role has become increasingly more challenging, as CISO’s are faced with the responsibility of safeguarding the Cyber citadel, in a constantly evolving threat landscape. Cyber Security is not always regarded as essential at board-level. Yet the impact of a Cyber attack leaves an organisation with reputational damage and significant financial loss. The impact of EasyJet’s recent Cyber attack, (May 2020) is yet unknown, but could be substantial. The Cyber attack on the telecom company, Talk Talk, for example, ran into an estimated £45 million in 2015.
Vulnerabilities to Cyber Security are multiple.
According to some latest figures there are 2,500 internal daily breaches in the US alone and this has increased by 47% in the last two years. How to manage the risk of the human internal threat demands complex consideration. It requires a dialogue at board-level, strategic thinking and courageous leadership. It demands adaptive and agile decision making, an open culture in which to explore risks and build resilient parameters accordingly. The effect of the recent COVID-19 pandemic are yet emerge, but the increase in staff working from home, and being away from the digital Cyber culture, require board-level discussion in which to tackle the exposure to both technical and insider risk. Operational processes may also require review, and data classification may need to be fully explored. Ultimately, being away from the office can expose data to insecure networks and non-authorised personnel. A VPN may provide secure access to the corporate network, but the CISO cannot control who sees the data when staff are working at home. It is likely that the CISO has the responsibility of managing those risks and putting in place mitigation strategies.
Navigating through this complex Cyber-scape can be a challenging and lonely place for CISOs and can leave them exposed to Cyber trauma. The consequences of a Cyber attack can affect productivity, performance, and result in burnout. It is essential that the CISO develops their own personal resilience programme to thrive and succeed. One of the attributes of developing personal resilience is having the space to reflect on their leadership style, explore how to engage strategically and tactically within their organisation. Setting manageable goals to understand the Cyber Security architecture against the perceived risk threshold requires support from experienced and seasoned CISO mentors, who can both offer guidance, experience and techniques to enhance the skills that the CISO has to employ in their dynamic role. Much research has been done on the benefits of mentoring. It is an investment that returns numerous rewards. Having access to practical advice, encouragement and support is invaluable. As John Wooden said: ‘Mentors are available at all stages of your leadership life- early, middle and late. Seek them out and listen; absorb their knowledge and use it.’
