David Chadwick

- Hansard -

Copy Link

-

Q Thank you for joining us. Reporting of several recent cyber-attacks has one thing in common: there were often insufficient security measures in place. British Airways in 2018 is just one example. Reportedly, the average tenure of a chief information security officer is 18 months. From your perspective, what do CISOs need from the Bill to help strengthen their hand when they are saying to a board, “This is what I need to do to keep our organisation secure”?

Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.

How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.