Standard Chartered’s Cheri F. McGuire describes the evolution of the role of the chief information security officer – and why the risks CISOs deal with may be existential for their companies. Her remarks have been edited for length and style.
CCBJ: What background is required to become a chief information security officer?
Cheri F. McGuire: It’s an interesting question, especially in the aftermath of the recent Equifax breach, where there was a lot of public debate about the background needed to be a CISO. To be effective, CISOs need to have expertise not only in how security technology works, but also a deep understanding of their organization’s business and the myriad security risks it faces. The role of the CISO has evolved significantly in the past five years, from a traditionally pure IT role to today’s requirement for a modern-day security risk manager. As such, the role requires the ability to integrate many disciplines, from technology, security, operations and response, to policy, strategy, legal and communications. Key to any CISO’s success is the ability to translate security risks and events into the language of the business, and then to effectively communicate across the business spectrum, from board members and the C-suite to business units, risk professionals and technology teams.
What does your role entail from day to day?
There is no typical day. My role entails driving security strategy, policy and governance, risk assessments and control testing, third-party risk, regulatory and partnership engagement, and employee training and awareness. It’s really about setting the tone for the whole culture of security risk management across the bank. This also includes cybersecurity exercises, readiness training and a team of business information security officers. Through them I have a risk advisory and assurance role in each of our businesses and geographies.
There are different models for the CISO function in use today. Some CISOs fit within the technical organization, under the chief information officer, and their main responsibilities are managing day-to-day network security, systems and applications, and the delivery of technology services. Other organizations, like ours and most large financial institutions, have a two-function approach, whereby the CIO manages security operations, and the CISO sits under the chief risk officer to ensure security is addressed from a holistic risk management perspective.
What skills are most important for you to succeed?
You have to understand business risk and risk management principles. You need to lead with an understanding of the most critical risks, set the strategic tone and direction, and then work with the business. You’ve got to have communication skills to translate technical issues into business language. Key is ensuring you have built the relationships across the organization and are viewed as a true risk “partner” who not only helps keep the business safe and secure, but also enables security as a trust factor for the products and services offered to customers.
What’s the hardest part of your job?
When you are a global institution – Standard Chartered operates in nearly 70 countries with more than 85,000 employees – the scale and scope are probably the toughest part, but also one of the most gratifying because you have the opportunity to help the organization build a culture of security and resilience.
Another challenge is the rapidly evolving regulatory landscape. It’s no simple task keeping up with all of the new cybersecurity regulations around the globe, incorporating them into policy and standards, and then ensuring implementation and compliance.
Do you work most closely with IT?
Absolutely. We have to work closely to ensure that we have the right alignment across day-to-day security technology operations and security risk and compliance. It’s also important that my team and I work closely with the other risk functions within the bank, including enterprise, operational, reputational, legal and financial crime risk, as well as with our business and geography risk and compliance officers. Having an integrated risk management program anchored under the chief risk officer is key.
How much contact do you have with the general counsel and other in-house lawyers?
Our general counsel is a strong advocate of the CISO function, and our legal team is an important partner. For example, ensuring we have the right security requirements in legal contracts and a right to audit are fundamental to managing third-party security risk. Analyzing legal implications related to compliance or new regulations and policies is another area where we work together.
Do you communicate much with CISOs at other big banks in the U.S. and globally?
We are actively engaged in a number of industry partnerships, including the Financial Services Information Sharing and Analysis Center (FS-ISAC). We are also a founding member of a UK group for European banks called the Cyber Defence Alliance, which is focused on information sharing for collective cyberdefense and working with law enforcement to stem cybercrime.
I also participate in a number of CISO industry forums, and I find it incredibly helpful to learn from my CISO colleagues. It also is important that we have not just information sharing, but also those relationships established to coordinate in the event of a major cyber incident, and especially given that the financial services industry is a central element in global economic stability. We have to have those strong linkages, not just among industry members but also with governments and regulators.
Is it tricky to decide when to share information with the government and how much?
It can be difficult – and I have sat on both sides, so I really understand the challenges. This is especially true in the financial services industry where there are significant regulations to ensure customer privacy and secrecy. This is one of the reasons we have independent bodies like the Cyber Defence Alliance and the FS-ISAC. They allow us to share information for cybersecurity purposes among other financial institutions, and then the sharing organizations are able to strip out or anonymize attribution to a particular institution that can then be shared with government or law enforcement.
When it’s a matter of your bank having specific information that you feel you need to report directly
to the government, who makes the call?
We have straightforward regulatory requirements about time to report, what to report and to whom to report. We operate in nearly 70 countries, all with their own regulators. If there are instances where the decision is not clear-cut, then the decision is made through internal consultation between myself, the CIO, regulatory affairs, compliance and legal.
In the UK, the CEO of a bank has personal liability for cybersecurity breaches. Is there anything
comparable in the U.S.?
The Senior Manager’s Regime came into effect in the UK on March 7, 2016. It added personal liability for cybersecurity to the CEO and designated senior managers within the organization, including the CIO, the chief risk officer and sometimes the CISO. To my knowledge, there is nothing comparable in the U.S., though there are cybersecurity requirements for CISO roles. For example, the New York State Department of Financial Services cybersecurity regulations that went into effect in February 2018 require financial institutions operating in New York to certify they have a dedicated CISO.
Has it changed the landscape?
If cybersecurity wasn’t already on your agenda as a senior leader in a financial institution, the UK rule should have put it front and center. I hear from most senior leaders at other banks that cybersecurity is at the top of the board and C-suite agendas. There is wide recognition today that cyber threats present an existential risk to the industry.
How do you prepare for the next twist that hackers might have up their sleeves?
It really is about trying to stay one step ahead of the bad guys. Studies conducted by many security firms and cybersecurity think tanks generally agree that the vast majority of cybersecurity breaches can be prevented if basic cybersecurity hygiene practices are implemented. These include inventorying your hardware, software and information assets; encrypting data at rest and in motion; implementing two-factor authentication; ensuring up-to-date security software and patches, and so on.
For more on this, two excellent resources are the U.S. National Institute of Standards and Technology (NIST) Cyber Security Framework and the Center for Internet Security Top 20 Controls.
Ultimately, organizations also need to have a solid response plan in place that also has been exercised. The plan should include not just your internal response coordination, but also how you interact with your customers, how you engage with your outside counsel, and how you communicate with regulators and the media.
Cheri F. McGuire is group chief information security officer at Standard Chartered Bank in the United Kingdom. With nearly 30 years of industry and government experience, she has held senior roles at Microsoft, Symantec, the U.S. Department of Homeland Security Cyber Division/U.S.-Computer Emergency Readiness Team (US-CERT), and Booz Allen Hamilton. In 2017, the Monetary Authority of Singapore appointed her to its first International Cyber Security Advisory Panel. She also sits on the World Economic Forum Global Future Council on Cybersecurity, the Europol Advisory Group on Financial Services, the George Washington University Center for Cyber and Homeland Security Board, and the U.K. Cyber Defence Alliance Board. She is a frequent presenter on cyber-risk management and resilience, information sharing and cybercrime, and has testified as an invited expert witness numerous times before the U.S. Congress.
Published March 2, 2018.