Hong Kong CISOs climb higher on the corporate ladder

CISOs have to move away from the bunker mentality to be a business enabler in their organizations. (Credit: sorbetto/iStockPhoto)

The chief information security officer (CISO) is a relatively new role and, in Hong Kong, barely existed until three years ago, according to local IT security insiders.

The crème of the crop of security professionals have been elevated from their traditional backroom position to take on senior management positions in order to articulate the business impact of IT security risks.

Nick Marsh, managing
director, Meraki Executive
Search & Consulting

“On the board of pretty much every public company, security is a permanent agenda item,” said Nick Marsh, managing director of headhunting firm Meraki Executive Search and Consulting. “In the US, the CISO would report to the board. The reporting line tends to be different in Hong Kong where the CISO report to the IT director or the CIO, who then provide a report to the board every month. Nonetheless, the seniority of reporting shows the strategic importance being given to the role.”

For companies in Hong Kong that have to provide insights on cybersecurity matters, having a

CISO also provides the senior-level representation that is required at industry-wide forums.

Ricky Woo, Hong Kong Computer Society
Ricky Woo, convenor of 
Cybersecurity Specialist Group,
Hong Kong Computer Society

“There are times when regulators such as the Hong Kong Monetary Authority (HKMA) would want to speak to senior management – most specifically the CISO – of an organization if they want to find out about compliance and risk issues around the introduction of a technology-oriented service,” said Ricky Woo, convenor of the Cybersecurity Specialist Group of the Hong Kong Computer Society.

In a report entitled “CISO Career Paths: Plot Your Course for Advancement” released by Forrester in December 2017, principal analyst Jeff Pollard stated that corporate bigwigs have unrealistic expectations of a CISO. The report analyzed the profiles of senior security leaders in

Fortune 500 companies based on their education, career path, tenure and title.

“They imagine some half-man, half-machine superhero with a CISSP certificate and an MBA,” he said.

He added that “the mythical CISO” wish list includes deep business acumen, amazing communication skills, and the ability to fight hackers with their bare hands.

“These unrealistic expectations prevent companies from agreeing on which skills are most important, leaving aspiring CISOs to pave their own path and hope for the best,” Pollard said.

In Hong Kong, companies also have varying requirements of what the role entails – there is no cookie cutter for the breadth and scope of a CISO’s responsibilities. And candidates for the jobs do not come from the same mold either.

“If you are going to pay an annual salary that ranges between HK$1 million and HK$4 million, clearly you are going to have people whose profile, expertise and knowledge widely diverge from each other,” Marsh said. “You could have somebody in their early- and mid-30s on one level and somebody in their late 40s and early 50s on another level.”

CISOs have to be business enablers

Security professionals have been trained to protect their IT infrastructure to keep out any potential threats. This bunker mentality no longer works in a digital economy where business and customer interactions are increasingly conducted online.

“They tried to protect their companies from risks by saying no to new initiatives,” Woo said. “But the world has changed and the board expects the CISO to help them to enable the business – not by saying no but to telling them how to mitigate risks so business can thrive.”

He added that it is now part of the CISO’s role that to make senior management aware of any new technology and provide insights of what it may mean to their business. This is important, he said, because introducing a new technology into the company should be a shared responsibility.

“Whenever there is a new technology coming into to company, some in the senior management think it is own by IT. But in fact, they should be aware that the owner of the risk is business, not IT. This is not solely a technical issue, and the risk must be borne by senior management – they should bear the responsibility for the decision they made [around the technology] later on,” Woo said.

Champions for new technologies

Indeed, today’s CISOs have to be advocates for new technologies, according to Ricci Ieong, director of education, Cloud Security Alliance (Hong Kong and Macau Chapter).

“A CISO needs to be an ambassador instead of a police,” he said. “He has to be open to new technology and willing to be agile in reviewing and adapting it. A strongly negative attitude towards new technologies will force business units and IT developers to hide security issues, which will only raise the potential for security incidents.”

Set up a risk governance model

To be effective in being a business enabler, Woo said a CISO needs to set in place a governance model that checks the risk evaluation whenever there is a new technology coming in.

“For example, if a bank wants to introduce biometric authentication control, the process will kick start a risk evaluation mechanism to figure out what the risk is, what sort of measures should be put in and how to mitigate the risks and so forth,” he said.

Meanwhile, Ieong observed that increased adoption of technologies such as SDN, virtualization, cloud computing, big data and devops have rendered traditional security requirements virtually obsolete. And today’s security solutions are designed to protect today’s more agile and open environment.

“Security technologies have to become an enabler of business instead of serving as an isolated island of defense,” Ieong said. “Most security technologies are already working towards this direction by integrating into the software development and deployment lifecycle of an organization.”

This trend should make the life of a CISO easier as security is being tightly woven into IT environment and many components and routine tasks are increasingly automated.

“Even if CISOs have done their part, we will never have a zero-risk environment,” Woo said.

“CISOs should have some mechanisms to periodically review their cybersecurity and technology risk posture – make sure that they are aligned with the latest and the best in the industry,” he added.