CISO Board Briefing 2017

Insights from the 2016 CISO Forums

ABSTRACT
In 2016, chief information security officers (CISOs) gathered in Las Vegas, London and Singapore for the ISACA annual
CISO Forums. They met to tackle issues and share experiences as leaders in their profession. Throughout all discussions,
one point was clear: communication between CISOs and business stakeholders is an absolute necessity to ensure the
successful mitigation of risk and the security of enterprise data assets. This document presents to enterprise boards and
executives high-level summaries of topics covered at the ISACA CISO Forums.

PURPOSE
The purpose of this briefing is to foster improved understanding of information security among boards, executives,
CISOs and those in similar roles. Several information security leaders who participated in the CISO Forums agreed
to be highlighted in this board briefing. Their testimonials follow each topic summary and are meant to be considered
as guidance.

© 2017 ISACA. All Rights Reserved.

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Introduction
A chief information security officer (CISO) has chosen a role
that, for many enterprises, is either new or changing. A senior-
level executive with growing cross-functional teams, the CISO
remains constantly alert to the state of security. He or she can
simplify technical jargon to fit security priorities into overall
business strategy. The CISO works with corporate governance
players and is driven to enable growth by allowing the enterprise
to afford higher risk and manage that risk within an acceptable
appetite. But, depending on the enterprise information-security
maturity level, a new security-focused culture may not have gained
traction quickly, so the CISO is also a salesperson. The CISO’s
team dedicates itself to protecting the enterprise digital asset
confidentiality, integrity and availability. The CISO wants to hire the
right people to fill potentially long-standing information security job
openings; however, the market lacks talented professionals, so the
CISO wants to provide training to those currently employed. This
training can also solve the retention problem, as the enterprise
loses ambitious employees to the higher-paying competition.
Decorated with several technical and managerial certifications,
such as the CISM, CISA or CISSP, the CISO likely has an IT
audit and risk background and moved to a cyber security role as
enterprises made it a priority over the last decade. As a new and
rapidly growing enterprise priority, cyber security is an unfamiliar
path for the enterprise. The CISO is driven to succeed, and there
is so much that he or she is working to change.

This briefing is a summary of observations made at the ISACA

annual CISO Forum. In 2016, CISOs gathered in Las Vegas, London
and Singapore to tackle issues and share experiences as leaders
in their profession. The briefing summarizes the main topics of
discussion from the forums and includes direct responses from
the CISOs themselves.

2
CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Governance “The cyber security framework of an organization will

depend heavily on the organization’s culture, the risk
Governance ensures that stakeholder needs, conditions appetite, principles and goals. Of course, the role of the
and options are evaluated to determine balanced, agreed- CISO is to build the governance framework, taking into
on enterprise objectives; sets direction through prioritization consideration all those aspects and leveraging them to
and decision making; and monitors performance and get the necessary buy-in. The cyber security governance
compliance against agreed-on direction and objectives. has to be coupled with the business strategy.”

RIZWAN JAN
“The word governance is derived from the CISO, Henry M. Jackson Foundation for the Advancement
Greek verb κυβερνάω [kubernáo], meaning of Military Medicine.
to steer a ship. Like steering a ship,
governance is the act of setting direction What is the ideal reporting structure for
and monitoring progress towards the most enterprises?
destination. A more complex situation, such
“Each organization must identify what is the best for
as steering an enterprise, requires setting them; just be sure to prevent making the information
goals, assigning responsibilities, establishing security function an IT function. In my experience, this
structures, implementing processes and has been a bad decision. I would suggest to have the
information security function report to the CEO, board
measuring outcomes. The same applies to
of directors or maybe the chief risk officer. This function
information security governance and cyber needs to be independent of IT.”
security governance.”
DOUGLAS BENCOMO
MICHEL LAMBERT CISO, Maduro & Curiel’s Bank N.V. (MCB-Group)
CISO, Québec Ministry of Agriculture,
Fisheries and Food
What advice would you give executive teams
about creating a governing structure that
Roles, reporting structures and communication
elevates cyber security priorities?
mechanisms are most commonly discussed when the
“I would advise executive teams on the fact
topic of cyber security governance arises. Based on
the discussions at the ISACA 2016 CISO Forums, it can that cyber security is not an IT issue; it is a
be concluded that the success of the cyber security business issue that requires enterprisewide
governance structure is determined by the skills of the buy-in to be managed successfully. IT will
information security executive, whom the information
certainly be a component of the solution
security executive reports to, and the information and
how it is reported. Because of these influencing factors,
and the success. To be successful, CISOs
there is not one correct organizational map, not one need to either chair or be a key participant
universal title and not even one universally applicable job on committees responsible for managing
description for the information security executive. Every enterprise risk.”
possible combination has its ups and downs. There is
one consideration that tops all others: Is the chosen BRIAN NESGODA
cyber security governance structure the best option SVP & CIO, Sikorsky Credit Union
for the enterprise?

© 2017 ISACA. All Rights Reserved. 3

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Cyber security has a history of being a low priority on the “Communication, communication and
list of governing bodies. With the help of the media, cyber communication. While decisions are made in
security has quickly become a growing concern for many
the boardroom, it took a lot of effort (outside
enterprises, giving CISOs a better chance of obtaining
the resources and direction necessary to secure their of the boardroom) to understand each board
enterprises. Even so, making security a top priority within member’s perspective on cyber security,
necessary business processes causes typical concerns: address their communication needs and
cyber security initiatives will slow down the process, it will
convince them of necessary cyber security
cost too much or it is not necessary at this stage. It is the
job of the CISOs to use their specialized expertise and capabilities on an ongoing basis. Boardroom
knowledge of the business to override these fears with the meetings just formalize the decision but are
advantages that security will have on the business goals not enough to present and attempt to justify
and objectives—essentially, that security does not benefit
the buy-in required.”
the enterprise for security’s sake; security benefits the
enterprise financial security, reputation, legal state, etc. JOHNNY MUNGER
CISO, TCW Group
“Enterprises do not benefit simply just by
being secure. That is expected. I hope we
can emphasize that advanced cyber security
capabilities will allow a company to embrace What advice would you give other CISOs who are
new business models and initiatives that were having trouble obtaining resources or pushing
previously deemed to be of high risk. Hence, a initiatives forward?
board that empowers the CISO with adequate “Perform an in-depth and honest current-state analysis,
resources and support may, in fact, elevate and benchmark against the minimum baseline required
the enterprise’s competitive advantages.” by regulations, as well as to other enterprises in the
same industry. If we are behind from the minimum
LEONARD ONG required baseline or from other enterprises in the same
Associate Director, IT Risk Management & industry, it is clear that the board would have fiduciary
Security, Asia Pacific & Japan, Merck & Co, Inc. duty to ensure the right resources are provided to bring
us to the right level.”

JOHNNY MUNGER
What strategies do you use to get buy-in from CISO, TCW Group
your board/executive team?
“Partner with departments and show them how they
“A successful strategy used to gain buy-in from my
can gain traction on their project by being a part of
board/executive team has been to align security
strengthening the security program. Work with project
initiatives with the organization’s strategic goals,
managers to identify the hurdles and challenges they
illustrating how implementing controls early in a process
face in implementing their projects, and use security
can reduce the likelihood of future audit findings. Express
as a tool to solve those challenges (i.e., develop
risk in terms that matter to the board (i.e., losses in units
action plans that bake in security to solve obstacles).
produced, losses in sales, etc.), and not the number
Leverage third-party entities like the DHS and the FBI
of threats blocked or vulnerabilities patched. Leverage
to demonstrate how your organization is proactively
internal audit as an ally and collaborate to develop action
improving the security program.”
plans to address risk. Cooperation fosters buy-in.”
BRIAN NESGODA
BRIAN NESGODA
SVP & CIO, Sikorsky Credit Union
SVP & CIO, Sikorsky Credit Union

© 2017 ISACA. All Rights Reserved. 4

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Through the progression of this discussion, it became What certifications and/or degrees do you
clear that, in addition to a CISO’s title, reporting structure
hold? Which ones do you find most applicable
and reporting methods, an often-unspoken piece of
governance is the skills that a CISO must have. For
to your role?
successful governance, if the CISO has been strategically “I hold the following certifications: CISA, CISM, CRISC,
placed to report the right things to the right people in the CGEIT, CISSP, GCCC, GMON, GCIH. I think that CISM
right ways, soft skills are the most important skills to have, and CISSP are the most important; however, I think that
followed by technical credibility. in some way or another the knowledge that I have gotten
with each one of them has helped me to fulfill my role.”
“On the board/executive levels you can’t talk about
firewall settings, malware names, etc. On the other DOUGLAS BENCOMO
hand, this kind of talk is very useful/credible in IT. It CISO, Maduro & Curiel’s Bank N.V. (MCB-Group)
is also very helpful if you can establish nonformal
relationships with others; it’s amazing what you can “CISM, CISA, CRISC, CISSP, ISSMP.
learn in morning coffee meetings.” The CISM is the most applicable.”
ANTON BOJANEC
JOHNNY MUNGER
CISO CISO, TCW Group

“Financial skills should be also considered. At the end

“CISSP, CISM, GCIH. CISM is probably the
of the day, a CISO’s discussion with the CEO and CFO
always prioritizes financial aspects. Understanding most relevant one to interact with the senior
them and also being able to be part of the discussion is management, while CISSP and GCIH are
something I learned to be of high importance.” relevant to understand and interact with the
JEAN-FRANÇOIS SIMONS information security technical people.”
CISO, Brussels Airlines
JEAN-FRANÇOIS SIMONS
CISO, Brussels Airlines
What skills do you use most in your role?
“Both soft and technical skills: my soft skills help me
to convey my message to a nontechnical audience
and to understand the requirements; my technical General governance advice that CISOs give to their
background supports my translation of business needs boards of directors and executive management
into technical language and technical solutions.” consists of the following:

DOUGLAS BENCOMO
• Incorporate security early in the process.
CISO, Maduro & Curiel’s Bank N.V. (MCB-Group) • Include CISOs in the hiring process of their teams.
They require a more advanced and technical
“Soft skills are what I use most in my role. They allow assessment of prospective hires.
me to connect to people at a personal level and gain
• The financial cost of security does not outweigh the
a common understanding of the importance of cyber
value of mitigating risk. Risk is a shared responsibility.
security.”
• Enterprise priorities should determine reporting
RIZWAN JAN structures for CISOs. Often, a CISO’s job should not
CISO, Henry M. Jackson Foundation for the Advancement
be considered as only an IT function.
of Military Medicine
• The CISO role is evolving. The CISO is not solely
responsible for security, because security is a
risk management function that is shared across
the enterprise.

© 2017 ISACA. All Rights Reserved. 5

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Cloud Security “Consider them as the extension of their

networks. Make sure to monitor usage
Public cloud almost always involves infrastructure outside and security the same as it’s done in-house
of an organizations’ direct control. The term cloud was
when they are using PaaS or IaaS. Ensure
created to describe a paradigm by which business-enabling
functionality is transported and stored. Cloud computing sound and efficient access control and high
is defined by the US National Institute of Standards and privileges access management. Enforce
Technology (NIST) as, “a model for enabling ubiquitous, security configuration and hardening.
convenient, on-demand network access to a shared pool of
Protect your sensitive data by enforcing
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly encryption. Make sure you have efficient
provisioned and released with minimal management effort vendor management control and sound
or service provider interaction.”1 It seems that the term cloud exits for the hosted data.”
is used to simplify the large pool of network resources that a
CISO is required to secure and provision. FAIZA KACEM
Senior Director Security Architecture and IAM,
Many enterprises are transitioning to cloud services, making National Bank of Canada
it necessary for CISOs to build cloud security models. For
CISOs whose enterprises rely on cloud service providers,
their concern is securing the data over which they could
“My advice would be to find ways of implementing
potentially lose control. The management of these cloud
your existing security policies and controls to the cloud
services must happen within the enterprise; even when
providers and avoid creating separate specific cloud
services are completely in the cloud, the risk responsibility
controls and exceptions. This is easier said than done
is still on the enterprise, and the business units involved are
and has spawned a new category of controls: the
still accountable.
cloud access security brokers (CASB). They offer a
What do most CISOs think about cloud security policy? solution at the technical level, but will only be effective
Many agree that, like most policy, it is useless unless it if their use is a requirement for implementation, and
can be enforced. For many IT departments, cloud security not seen as something to be circumvented by
policies fail because other business units acquire their own departments and project managers. Their use can
cloud services with little regard for cloud security. Total further be ensured, as well as other aspects of cloud
transparency into cloud service audit reports and action security, by a strong vendor management process.”
plans should be given to the CISO, as well as the ability to BRIAN NESGODA
mandate specific audit items. SVP & CIO, Sikorsky Credit Union

What advice would you give to your colleagues or

other enterprises on securing their clouds? What do you want your board/executives to
understand about the cloud?
“Public cloud computing, to be successfully utilized,
requires that enterprises, especially CISOs, understand “The cloud is far from meaning cheaper, highly flexible
how the business works. Understanding details of IT; cloud solutions are IT tools, and the IT department
workflows and data movement will help assess the risks should always be involved in evaluation of solutions;
that need to be managed. Security controls and audit and it is okay to rapidly go for a cloud solution in order
reports for nonrelevant aspects add little value towards to meet business needs, as long as we understand and
protecting your enterprise.” accept the risks related to the solution.”

PHORAM MEHTA JEAN-FRANÇOIS SIMONS

Head of Information Security-APAC, PayPal Pte Ltd. CISO, Brussels Airlines

1 Mell, Peter; Timothy Grance; The NIST Definition of Cloud Computing, US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145, USA, 2011

© 2017 ISACA. All Rights Reserved. 6

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

“First, boards/executives need to prioritize “The best solution saves money on infrastructure
what they want their employees to focus while being secure to the required level. I consider the
following factors: geographical data center placement,
on: managing IT infrastructure or building
origins of the cloud service stakeholder, certifications,
innovative products. Cloud computing is responsibility transfer in agreements, and the service
reaching a stage where businesses really do provider’s current insurance.”
need to understand and discriminate between LIUDAS ALISAUSKAS
technology infrastructure versus engineering. CISO, Lietuvos Energija
Second, boards need not fear the cloud. In the
early years, a lot about how cloud achieved What is your view on encryption?
its efficiencies and the compromises, if any,
“It depends on where [encrypted data] is
made on the security front were unknown.
used (in transit, at rest, in memory, etc.), who
As standardization and transparency
holds the keys and how they are protected. At
increases, evaluating assets on the
minimum, encryption should be used at least
cloud becomes much easier.”
when data is in transit and at rest.”
PHORAM MEHTA
Head of Information Security-APAC, ANTON BOJANEC
PayPal Pte Ltd. CISO

“Clouds belong to cloud service providers and hold

critical data of the enterprise. There is always a risk “To encrypt all data in the cloud is almost the only way
to lose control, not only of the critical data, but of the to neutralize the risk of data leakage from the cloud.
businesses that rely on the cloud infrastructure.” At the same time, there is high risk to lose it because
of improper and unconfident implementation of the
ALEXANDER KHOMKO encryption policy.”
Director of Information Security, JS Electronic Moscow
ALEXANDER KHOMKO
Director of Information Security, JS Electronic Moscow
What are your best cloud solutions? What factors
do you consider?
“All solutions have their pros and cons. The large-
scale solutions, such as AWS or Azure, offer better
stability, more geographical distribution, standardized
implementation, several tenancy options, scalability,
security compliance to industry standards such as SAS
70 and PCI DSS, etc. However, it may be difficult to
customize them to specific needs. The choice of cloud
provider must be led by the business needs and risk
exposure and appetite.”

FAIZA KACEM
Senior Director Security Architecture and IAM,
National Bank of Canada

© 2017 ISACA. All Rights Reserved. 7

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

In summary, a CISO’s advice to the board of “I identify our sets of priorities using threat
directors on cloud security includes the following: intelligence. Paying attention to what
• The cloud is not one product, but instead it is a other enterprises in the same sector are
network of resources often managed by (often) outside experiencing helps to identify what needs
service providers.
to be done on our side to prevent the same
• Business units should not acquire new cloud service issues. We are really paying close attention to
providers without consulting with the IT department
the development of new threats and trends.”
first. Many cloud failures result from doing otherwise.
• Public and hybrid cloud models can erode the borders DOUGLAS BENCOMO
between inside and outside the enterprise network. CISO, Maduro & Curiel’s Bank N.V.
Although risk is more flexible and expandable, it should (MCB-Group)
be assessed before implementing any solution.
• CISOs often want to deploy encryption universally, but
“We look at our enterprise business objectives and
it is an extremely difficult task, especially for small or
corresponding global IT objectives before identifying
medium-sized enterprises.
and prioritizing IT risk management and security
divisionwide objectives. It is important that we have a

Annual Priorities strong alignment according to the best corporate and

IT governance practices.”
Data presented from Foote Partners, LLC. predicts that
LEONARD ONG
enterprises need to be ready to change dramatically to Associate Director, IT Risk Management & Security, Asia
keep up with competition in 2017.2 The change must do Pacific & Japan, Merck & Co, Inc.
with where and how an enterprise innovates—where they
place their bets. Big data is phasing out as an emerging
trend in security, but how enterprises use big data What trends do you foresee for the new year?
intelligently in 2017 will determine their continued success.
The explosion of the Internet of Things has presented
us with a major cyber security challenge. Connected
How do you identify your priorities for the
devices might be small, but they contain complex
new year? software that wasn’t designed to be connected to
the Internet. Where there is Internet connectivity and
“We have aligned our cyber practices with the NIST
software, there is exposure. The software on IoT
Cybersecurity Framework, following the tier range
devices—firmware—has not been developed with
(1 partial - 4 adaptive; risk management practices).
security in mind, and, therefore, the IoT is essentially
The tier selection process considers our current risk
an unmanaged invitation for the adversary.
management practices, threat environment, legal and
regulatory requirements, business/program objectives,
and organizational constraints. We then determine the
desired tier, ensuring that the selected level meets our
goals, is feasible to implement, and reduces cyber
security risk to critical assets and resources to levels
acceptable. This assists us in prioritizing our initiatives.”

RIZWAN JAN
CISO, Henry M. Jackson Foundation for the Advancement
of Military Medicine

2 Foote, David, “Cyber Security “People Architecture”: The difference between success and failure”, Foote Partners, LLC, USA, 18 October 2016

© 2017 ISACA. All Rights Reserved. 8

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

“We are also seeing increased consideration How do you encourage innovation in
of cyber security in regulatory circles. There your workplace?
are mounting calls for regulation of IoT
“Hire people who are passionate about their work and
devices, and information related to cyber have different backgrounds and capabilities. This will
security events may be considered material bring a diverse set of ideas and approaches to solving
information that must be publicly disclosed a problem or bring innovation.”
under SEC regulations. These shifts will JOHNNY MUNGER
introduce a level of transparency that some CISO, TCW Group

CISOs may not be comfortable with.”

“We institute innovation as one of our core objective
JUSTINE BONE domains every year. It is an official scope of work.
CEO, MedSec There is a process where an innovation idea can
be proposed, assessed and funded accordingly.
Managers are encouraged to ensure that employees
have the bandwidth to ideate and pursue a good idea
“Cyberthreat intelligence sharing, threat analysis, cyber into proof of concept before full implementation.”
security capability (leading indicator) and maturity
LEONARD ONG
(lagging indicator), new technologies (virtual reality),
Associate Director, IT Risk Management & Security, Asia
back to basics (firmware security, effective monitoring Pacific & Japan, Merck & Co, Inc.
of new threats, etc.).”

LEONARD ONG
Associate Director, IT Risk Management & Security, Asia
Pacific & Japan, Merck & Co, Inc. The Skills Gap
According to the ISACA report, State of Cyber Security
“Malware (ransomware, etc.); more risks for 2017, 48 percent of enterprises get fewer than 10
critical infrastructure; new attack vectors on virtual applicants for cyber security positions, and 64 percent
infrastructure and cloud service providers; say that fewer than half of their cyber security applicants
enforcement of government requirements and are qualified. To solve this problem, many CISOs point
legislation in the field of information security.” to the need for accelerated cultural change for an array
of demographics. For young students, cyber security
ALEXANDER KHOMKO
education needs to start at an early age and needs to
Director of Information Security, JS Electronic Moscow
be a part of the standard curriculum.

“Increase user awareness, enhance data-owner

accountability, review/update key security processes
(such as incident management and IAM), increase
depth and frequency of pen testing, and the full
support of new business initiatives.”

MICHEL LAMBERT
CISO, Québec Ministry of Agriculture, Fisheries and Food

© 2017 ISACA. All Rights Reserved. 9

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

What does the skills gap mean to you, and how What do you think we need to do as a society to
do you feel the effects of it? solve the skills gap?
“The lack of expertise and knowledge for cyber “Start promoting the information security/cyber security
security functions either internally or in the hiring field in schools, colleges and universities. Try to make
market is one of the signs of a skills gap. Another sign this field attractive. In my case, I am giving the CSX
is that the educational system does not concentrate Cybersecurity Fundamentals workshop to university
on developing skills that are/will be needed to face students and young professionals.”
current and future challenges in the market. Lastly, the
DOUGLAS BENCOMO
resource shortage when trying to hire competencies
CISO, Maduro & Curiel’s Bank N.V. (MCB-Group)
is a clear presence of a skills gap. The most significant
effect is the impossibility to fill open positions with
the appropriate skill level, the lengthy duration of job What should CISOs be doing to fill the skills gap?
postings, and, most importantly, the changing of the
hiring strategy during the job posting in order to better “Ensure that: (1) lean, yet effective,
match the market, instead of the other way around.” organizational structure for information
FAIZA KACEM security is designed; (2) appropriate funding
Senior Director Security Architecture and IAM, National Bank is planned, meeting requirements based on
of Canada organization strategy and evolving threat
trends; (3) information security and all
What are you doing to hire and retain the company personnel are trained continuously;
right people? (4) emergency contracts with third-party
“I am constantly monitoring the HR market (salary and cyber security experts are in place.”
additional benefits) and trying to keep our personnel
salary current to the market. Challenging talented LIUDAS ALISAUSKAS
CISO, Lietuvos Energija
people is also necessary.”

LIUDAS ALISAUSKAS
CISO, Lietuvos Energija

In summary, a CISO’s advice to the board of

“If someone shows a gap in knowledge, skill directors on closing the skills gap includes
or experience that is needed in the near future the following:

(for example, passing certifications exams), • Invest in developing people to increase retention and
but, if that individual is loyal in attitude to the build much-needed skills; leverage tools to maximize
efficiency of the personnel you already have.
company, I would hire this applicant. To retain
the right people, you need to make achievable • CISOs need to work closely with HR teams to make the
most progress in filling job openings and retain the right
goals for them, rotate responsibilities, candidates after they are hired.
encourage training, and stimulate them.”
• Cyber security professionals often require different
ALEXANDER KHOMKO benefits than professionals in other business units.
Director of Information Security, JS Electronic
• Support for minority demographics must start at the
Moscow
top of every enterprise.

© 2017 ISACA. All Rights Reserved. 10

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Vendor Risk “Software as a service (SaaS) vendors are most

common and are considered because they offer

Management
solutions without the overhead and capex. Vendor
management is owned by the risk management
department, which provides the benefit of having
Often, the most exciting moments at the CISO forums
security-focused staff involved in the evaluation of
happened when participants went off topic and discovered
third-party vendors. SLAs, SSAE 16 reports, contracts,
critical, underlying issues through the conversations. One
etc. are reviewed, risk rated and reported to a vendor
topic that was not primarily highlighted in the agenda, but
management committee. Issues are identified and
was brought up numerous times in all three countries,
ultimately reported to the board of directors, providing
was vendor risk management. Whether the cases
further metrics and supporting the enterprise risk
discussed cloud security, priorities or interdepartmental
management program.”
communications, they all sparked insights and germane
discussions about vendor management and supply chain BRIAN NESGODA
risk management. Some conversations led further into SVP & CIO, Sikorsky Credit Union
considerations for supply chain risk management. It is
clear that CISOs are involved in the risk assessment and
mitigation of their enterprise vendors and should continue
Do you have a process or policy in place? How
to be, if not even more so than they are now. would you define the overall purpose of your
process/policies?
Third-party vendors and business partners can introduce
new risk. Furthermore, vulnerabilities can continue to “We have a process and policy in place. We have
be introduced over the life cycle of a product or service. established specific standards, guidelines and
CISOs and risk management teams need to be involved procedures necessary to ensure that any information
in the beginning and throughout these life cycles to get to provided to our third party is kept safe and reduces
know the vendors and ask the right questions to mitigate the risk of unauthorized use, disclosure, modification
risk and assure information security. or destruction, whether accidental or intentional.
The amount of due diligence required is specific to
What third-party vendor services does your the risk associated with the services that the third
enterprise typically encounter? To what extent party performs.”
are you involved in their procurement? RIZWAN JAN
CISO, Henry M. Jackson Foundation for the Advancement
“Services, infrastructures and software/solutions
of Military Medicine
vendors. A vendor risk assessment and security
requirements are included in every agreement.
The CISO team is involved in the assessment of “Yes, policy and processes are in place. The purpose
the security posture of the vendor.” is to ensure that the third party complies with the
corporate information security requirements and
FAIZA KACEM that the company resources and data are properly
Senior Director Security Architecture and IAM, managed, protected and controlled/monitored.”
National Bank of Canada
FAIZA KACEM
Senior Director Security Architecture and IAM,
National Bank of Canada

© 2017 ISACA. All Rights Reserved. 11

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

“Yes, both a vendor management policy and standard What is necessary to ensure the success of your
exist that define roles and responsibilities as well as
vendor risk management efforts?
criteria by which the vendors should be evaluated.
The purpose is to identify critical vendors to the “It is necessary to have a central onboarding
organization so that they can be appropriately risk
process when dealing with vendors. Also
assessed and residual risks reported.”
(along with procurement), legal should be
BRIAN NESGODA
engaged. Cyber security language should
SVP & CIO, Sikorsky Credit Union
be added to any contract language, which is
then aligned with the third-party security self-
What are your vendor risk management
assessment. Legal language should always
pain points?
include the right to audit as well to hold your
“Some vendors do not always come through the vendor accountable to the controls they are
procurement process and we (security) capture them
attesting to.”
after the fact. No centralized onboarding process
causes us to have an incomplete picture of our RIZWAN JAN
risk posture.” CISO, Henry M. Jackson Foundation for the
Advancement of Military Medicine
RIZWAN JAN
CISO, Henry M. Jackson Foundation for the Advancement
of Military Medicine
“Training and accountability. Technical solutions can
“Vendor relationships change over time and so does be used but are not necessary. Simple spreadsheets
the threat landscape based on the industry and will suffice if a strong vendor management workflow
geopolitical activities. However, most vendor risk and process exist and are understood by the contract
management programs are still an annual exercise. owners. Holding contract owners accountable for their
One of the key challenges/priorities for us is to vendors is critical to ensuring risks are identified.”
make the vendor risk life cycle a more dynamic
BRIAN NESGODA
and real-time process.” SVP & CIO, Sikorsky Credit Union
PHORAM MEHTA
Head of Information Security-APAC, PayPal Pte Ltd. In summary, a CISO’s advice to the board of
directors on vendor risk management includes
the following:
• Departments procuring vendors should involve
information security managers from the beginning
and through the vendor’s life cycle.
• One centralized onboarding process is an efficient
way to mitigate risk.
• Create a vendor risk management program that is
dynamic enough to keep up with real-time changes
in vendor relationships or the threat landscape.

© 2017 ISACA. All Rights Reserved. 12

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

European Regulations What advice would you give your peers for
complying with security regulations for 2017?
and Compliance “Start as soon as possible, get management
As a champion of personal privacy, the EU is known understanding and active support, involve
for having strong regulations around data security and business areas into activities.”
personal privacy. In 2016, the EU passed the Network and ANTON BOJANEC
Information Security (NIS) Directive to “provide a high-level CISO
network and information security throughout EU member
states, not just against network breaches by hackers, but “Complying in 2017 is definitively not on my agenda;
also against technical failures and natural disasters.”3 By I’m aiming for 2018! Most important to me is having a
2018, companies that fall under the directive’s purview are clear road map towards compliance so that if you are
expected to be compliant. In addition to the NIS Directive, not able to be compliant on due time, you can report
there are other new—and not so new—compliance pain efforts being done so far and ongoing initiatives to
points to which CISOs are working toward adherence: reach full compliance (with target dates).”
• General Data Protection Regulation (GDPR)
JEAN-FRANÇOIS SIMONS
• Payment Services Directive (PSD2) CISO, Brussels Airlines

• Solvency II
• EU Network and Information Security (NIS) Directive
• Corporate governance
• Payment Card Industry Data Security Standard (PCI
DSS) v3.2

What are your compliance pain points?

“The main pain point of compliance is time. GDPR,
Russia’s new regulation and China’s new privacy law
all request to be compliant in a relatively short period
of time (EU GDPR being the most flexible one).”

JEAN-FRANÇOIS SIMONS
CISO, Brussels Airlines

“GDPR – determining GDPR real requirements in

practice, identifying the current gap and implement
the minimum necessary steps.”

ANTON BOJANEC
CISO

3 Allison, Peter Ray, “What the EU’s cyber security bill means for UK industry,” Computer Weekly, USA, January 2016,
http://www.computerweekly.com/feature/What-the-EUs-cyber-security-bill-means-for-UK-industry

© 2017 ISACA. All Rights Reserved. 13

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

Featured in This Board Briefing

Liudas Aliauskas Michel Lambert

CISO CISA, CRISC, CISM, CGEIT
Lietuvos Energija CISO
Québec Ministry of Agriculture, Fisheries and Food

Douglas Bencomo Phoram Mehta

CISA, CRISC, CISM, CGEIT, GCCC, GMON, GCIH CRISC, CISM, CISSP, ISO27K
CISO Head of Information Security-APAC
Maduro & Curiel’s Bank N.V. (MCB-Group) PayPal Pte Ltd.

Anton Bojanec Johnny Munger

CISM, CISSP CISA, CRISC, CISM, CISSP, GWAS, ISSMP
CISO CISO
TCW Group

Justine Bone Brian Nesgoda

CEO CISSP
MedSec SVP & CIO
Sikorsky Credit Union

Rizwan Jan Leonard Ong

CISSP, PCIP, CTPRP CISA, CRISC, CISM, CGEIT, CPP, CFE, PMP, CIPM,
CISO CIPT, CISSP, ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA
Henry M. Jackson Foundation for the
Advancement of Military Medicine Associate Director, IT Risk Management & Security, Asia
Pacific & Japan

Faiza Kacem Merck & Co, Inc

CISM, CRISC, ISO27KLA
Senior Director Security Architecture and IAM
Jean-Francois Simons
National Bank of Canada CISM
CISO
Brussels Airlines
Alexander Khomko
CISM
Director of Information Security
JS Electronic Moscow

© 2017 ISACA. All Rights Reserved. 14

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA
ISACA®
Phone: +1.847.660.5505 ISACA (isaca.org) helps global professionals lead, adapt and assure trust in
Fax: +1.847.253.1755 an evolving digital world by offering innovative and world-class knowledge,
Support: support.isaca.org standards, networking, credentialing and career development. Established
in 1969, ISACA is a global nonprofit association of 140,000 professionals in
Website: www.isaca.org
180 countries. ISACA also offers the Cybersecurity Nexus™ (CSX), a holistic
Provide feedback: cybersecurity resource, and COBIT®, a business framework to govern
www.isaca.org/ciso-board-briefing-2017 enterprise technology.

Participate in the ISACA

Knowledge Center: DISCL AIMER
www.isaca.org/knowledge-center
This is an educational resource and is not inclusive of all information that may
Follow ISACA on Twitter: be needed to assure a successful outcome. Readers should apply their own
https://twitter.com/ISACANews professional judgment to their specific circumstances.

Join ISACA on LinkedIn:

http://linkd.in/ISACAOfficial RESERVATION OF RIGHTS
© 2017 ISACA. All rights reserved.
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

© 2017 ISACA. All Rights Reserved. 15

CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS

ACKNOWLEDGMENTS
ISACA would like to recognize:

Expert Reviewer Jeff Spivey

CRISC, CPP, Security Risk Management Inc.,
Michel Lambert, USA, Director
CISA, CRISC, CISM, CGEIT, Québec Ministry of
Agriculture, Fisheries and Food, Canada Robert E Stroud
CGEIT, CRISC, Forrester Research, USA,
Past Chair
ISACA Board of Directors
Tony Hayes
Christos K. Dimitriadis CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Queensland Government, Australia, Past Chair
Greece, International Chair

Greg Grocholski
Theresa Grafenstine CISA, SABIC, Saudi Arabia, Past Chair
CISA, CGEIT, CRISC, CIA, CGAP, CGMA, CPA,
US House of Representatives, USA, Vice-chair
Matt Loeb
CGEIT, FASAE, CAE, ISACA, USA, Director
Robert Clyde
CISM, Clyde Consulting LLC, USA, Director

CISO Forums Working Group 2016

Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM, Vilius Benetis
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA, CRISC, CGEIT, NRD CS, Lithuania
GCIH, GSNA, GCFA, Merck, Singapore, Director

Justine Bone
Andre Pitkowski MedSec, USA
CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA,
ISO31kLA, APIT Consultoria de Informatica Ltd.,
Thomas Borton
Brazil, Director
CISA, CRISC, CISM, CISSP,
San Francisco Airport, USA
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP, WhiteOps,
Ken Hendrie
USA, Director
CISA, CRISC, CISM, CGEIT, Cordelta, Australia

Jo Stewart-Rattray
Michel Lambert
CISA, CISM, CGEIT, CRISC, FACS CP, BRM
CISA, CRISC, CISM, CGEIT, Québec Ministry of
Holdich, Australia, Director
Agriculture, Fisheries and Food, Canada

Tichaona Zororo
Brian Nesgoda
CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT
CISSP, Sikorsky Credit Union, USA
| Enterprise Governance (Pty) Ltd., South Africa,
Director
Jamie Norton
CISA, CISM, CGEIT, CISSP, NEC, Australia
Zubin Chagpar
CISA, CISM, PMP, Amazon Web Services, UK,
Rolf von Roessing
Director
CISA, CISM, CGEIT, CISSP, Forfa AG, Switzerland

Rajaramiyer Venketaramani Raghu

James Seaman
CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,
CRISC, CISM, Croda International
India, Director

© 2017 ISACA. All Rights Reserved. 16