Where Does a CISO Fit In My Organization?

The role of the Chief Information Security Officer (CISO) within an organization has matured and grown over the last few years. The CISO increasingly has a broader role than just eliminating threats. The role now deals with the risks and the residual consequences in the cybersecurity realm.

The position of the CISO role within the organization chart influences the nature and frequency of interactions that the security leader will have with other executives.

The security function, and especially the CISO as its leader, should be thought of more as a business partner than an auditor — meaning that the various lines of business should engage with security and be forthcoming about the cyber risks that each face. Several reports have noted that security expands engagement beyond IT and becomes embedded in business operations. Furthermore, the relationship between the security function and IT should be dynamic instead of siloed, offering a checks-and-balances approach to leadership.

Businesses who position the CISO improperly and fail to provide him or her with adequate support and visibility are sending a signal. If the CISO is buried down in IT, even if reporting directly to the CIO, his or her influence will be greatly diminished. In a not-too-distant future, government officials may look at such a setup and determine that the organization is inadequately prepared to deal with modern cyber risks. Overall, a mature organization is seen where the CISO reports to the CEO.

In “Is the CISO Reporting Structure Outdated?” from Security Intelligence (you can access the article here), Scott Koegler notes that:

  • Cybersecurity affects multiple verticals within an organization, not just IT. For example, a marketing department’s CMO may have differing views and needs as compared to a CIO, and the CISO must take all of those inputs into account.
  • CISOs need to lead the discussion on cybersecurity and be able to make independent decisions.

A few additional points to consider as well:

  • Security is an issue for the entire company, not just the IT department. A CISO’s job is not to protect IT – a CISO’s job is to protect the business by exposing risk.
  • Organizations where CISOs report to CIOs have 14% more downtime due to security incidents, according to a study by PwC.
  • Organizations where the CISO reports to the CIO have financial losses that are 46% higher, according to the same PwC research.
  • Some regulators are beginning to mandate CISOs report to the CEO – and many more may follow. In Israel, for example, there are laws dictating that CISOs report directly to the CEO.

Using Contracts to Manage Vendor Cyber Risk

You’ve worked hard to build out your cybersecurity and cyber risk programs. You’ve engaged with cybersecurity consultants, hired the right internal staff, built out and maintained a risk management system, and have proper controls in place. You have a strong cybersecurity posture and your stakeholders are satisfied with the results.

One fine summer day a news story shocks your whole organization: credit cards from all of your customers have been found on the internet. Malware was found on your point-of-sales system. The lawyers are involved, your leadership is furious… things are a mess.

The source of the issue? One of your vendors managing your point-of-sales systems experienced a breach. You had nothing to do with the breach, however your organization is the one being blamed.

Even if your organization works to build out a proper cyber risk management program, implements an Information Security Management System (ISMS), uses proper change controls, etc., a single vendor that doesn’t adhere to these same risk management techniques can undermine everything your organization has done to protect itself. To that end, even if all of your vendors do the same, if a single one of their vendors does not properly manage risk, your risk program is undermined as well.

How do you manage this additional risk?

Creating Contract Requirements

In our last blog post, we discussed that airports, governments, and all other critical infrastructure organizations have the responsibility to appropriately manage cyber risk. Management of that risk, however, also applies to third parties, fourth parties, and n-th parties as well.

One way to manage that risk is by defining cybersecurity and cyber risk requirements at the beginning of a vendor relationship through contractual obligations or by appending such requirements to a contract renewal.

The two most common requirements that can be implemented are:

  1. requiring vendors achieve and maintain ISO 27001:2013 (International Standards Organization) certification; and
  2. requiring vendors participate in AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) audit and attestation.

These requirements are complementary and provide a full picture of how a vendor manages cyber risk.

An Overview of ISO and SOC

An ISO 27001:2013 certification demonstrates to your organization that a vendor properly manages the confidentiality, integrity, and availability (the CIA triad) of information in their organization and has a functional ISMS. Certification is an ongoing process and must be continually maintained. Vendors wishing to keep this certification must have ongoing internal and external audits of the ISMS and related ISO controls.

A vendor who achieves and maintains ISO 27001:2013 certification shows to a potential customer that:

  • the vendor has reviewed the information security standards and has selected controls to implement;
  • the vendor has implemented those commonly accepted information security controls; and
  • the vendor has built out information security management guidelines for their organization.

SOC reports focus on controls and control effectiveness per standards set forth by the AICPA. SOC audits and attestation demonstrate that a vendor has proper controls in place and that those controls are effectively used in operations either at a specific point in time or for a period of time. There are different types of SOC reports available. The most common of these reports are:

  • SOC 1 – Internal controls relevant to financial reporting. The results are intended for restricted use by the organization requesting the audit. Based off of attestation SSAE 18 (Statement on Standards for Attestation Engagements).
  • SOC 2 – Internal controls relevant to operations and compliance as defined by the AICPA Trust Services Criteria. The results are intended for restricted use by the organization requesting the audit. Based off of AT-C 205 (AICPA’s Attestation Standards).
  • SOC 3 – Simplified version of SOC 2 that may be freely distributed for general use based off of AT-C 205.

The SOC 1 and 2 reports are further broken down into two types.

  • Type I reports represent an audit of controls at a specific point in time.
  • Type II reports represent an audit of controls over a period of time, with a minimum of a six-month period. Type II reports also include a testing of controls for suitability of design and operating effectiveness. Type II reports are considered more authoritative.

Steps to Achieving Certification and Attestation

There are two main steps a vendor will need to take to provide these. First, the vendor needs to prepare for certification, audit, and attestation. Both the ISO and SOC provide a set of requirements that must be adhered to. This process can be done internally, however this work is oftentimes performed with the help of a cyber risk management firm as it can be extremely taxing.

Next, the vendor has the actual certification (in the case of ISO) or audit (in the case of SOC) performed by an independent third party. In the case of ISO, this must be done by an accredited certification body. The certification bodies may only provide certification and not preparation and consulting in relation to the certification. In the case of SOC, an independent CPA firm must perform the audit per AICPA rules.

Fourth-Party, Fifth-Party, Sixth-Party…

Your organization should also consider downstream, nth-party requirements. Your vendors’ vendors can also put you at risk. Are they ISO certified? Would they pass a SOC 2 Type II audit and achieve attestation? These are questions you should ask as you build out a risk register on your projects and look at your contract needs.

The Hard Reality

If your organization flipped a switch today and required all of your vendors to be in complete compliance, odds are you’d have no more vendors. The hard reality here is that these processes cost time and money, and vendors are forced to decide on cybersecurity and cyber risk matters based on budget in the same way as you.

Unfortunately, no airport, government, or other critical infrastructure organization can wait any longer. Your organization is actively under attack, and threat actors will use whatever vector necessary to gain access to your systems. Vendors are one such vector.

The best approach may be a gradual introduction of these requirements. For instance, require that a vendor perform a NIST (National Institute of Standards and Technology) Cybersecurity Framework review for internal use immediately and attain ISO certification one year after contract certification. If you’re looking for SOC attestation, request a Type I report first, and then a Type II a year later.

A Path Forward

A good service ecosystem is built on good relationships. Organizations rely on their vendors, and vice versa. These requirements may seem burdensome at first, however they provide a common language between parties that clearly articulates the expectations and importance of managing cybersecurity and cyber risk.

Not all vendors (nor all organizations, for that matter) are fully equipped to flip the switch today. Organizations and vendors may need to ease into the process, knowing full well that it will be a requirement in the future. Support goes both ways.

Organizations and vendors should enlist the support of qualified cybersecurity and cyber risk management firms for preparation, certification bodies and auditors for official reviews, and cybersecurity counsel to help craft contractual language that clearly outlines the requirements for the relationship.

Managing Third-Party Cyber Risk at Airports

Airports must ensure the safety and security of passengers and employees as well as the continuous operation of their critical infrastructure. Cybersecurity incidents and cyber risk pose significant challenges to that goal. In 2019 alone, over 20 municipal governments and a number of major airports in the US have been hit with cyber attacks. These incidents disrupt services and have the potential to put lives at risk.

It is vitally important that airports appropriately manage risk in their environment. From assessments to business continuity plans, there are a number of steps that can be taken internally to appropriately handle risk. But what about third-party vendors? While an airport can work hard to manage risk, if a single vendor has a data breach or is a victim of a cyber attack, the effects of that incident can quickly spread to any organization they support.

Supply chain integrity and third-party vendor risk management is essential to an information security and cyber risk program for any airport. A 2018 study by the Ponemon Institute revealed that 56% of organizations have experienced a breach directly caused by one of their vendors. As an example, the major data breach at Target in 2014 was caused by a breach at one of their HVAC vendors.

Managing Third-Party Vendor Risk and Supply Chain Integrity

Airports engage in a significant amount of outsourcing and managed services to meet their needs. From master planning to vertical construction to IT systems, there are a myriad of services and systems that are handed off to vendors for management and completion. Each time an airport adds new systems or obtains new services the organizational risk profile changes. When those systems or services come from a third-party vendor, airports assume the risks brought on by that third-party.

For instance, an airport is considering a new FIDS system from a vendor. Has the vendor developed their product using SDLC and the STRIDE methodology? Are endpoint systems patched and what is the patching schedule? If the service is in the cloud, what is the security offered by the provider? Is data encrypted both at rest and in motion? How long is PII handled for, if at all? Does the vendor have a risk management plan? How does the vendor handle our infrastructure drawings and other SSI? These and countless other questions strike at the heart of managing cyber risk by way of verifiable standards.

Airports should confirm that their vendors manage cybersecurity and cyber risk to an appropriate level. To that end, they can use contracts as an enforcement vehicle. In the case of the FIDS vendor, an airport could require that all bidders have an updated ISO 27001:2013 certification or require SOC II or SOC Cybersecurity attestation before the contract conforms. It is also crucial that airports update their internal ISMS to account for the new assets, risks, threats, continuity requirements, and disaster recovery needs.

Vendors can increase their trustworthiness and reduce potential liability by proactively managing cyber risk. The ISO 27001:2013 certification and the SOC II and SOC Cybersecurity attestation processes can seem burdensome, however significant value is generated with the certification and with the reduced risks. Airports see a certified or attested company as trustworthy and diligent, even more so when others within a space do not have those credentials. If a cybersecurity incident should arise, managing risk and creating a true ISMS will show that a vendor has acted in good faith, with due diligence and due care in the situation.

It Takes Two to Tango

Airports and the vendors that serve them have a responsibility to ensure safe and secure operations for all stakeholders. Cybersecurity incidents pose a real danger to safe and secure operation of critical infrastructure. Airports and vendors can manage cyber risk by maintaining internal cybersecurity and cyber risk programs that are continually updated and audited. Vendors can demonstrate due diligence and due care through the certification and attestation processes, and airport can do the same by requiring and verifying those credentials.

Our Services

Cyprus Lake assists airports and their vendors to certify that cybersecurity and cyber risk are being adequately managed. For airport vendors, we provide certification preparation and internal auditing services for ISO 27001:2013 and SSAE18 as well as preparation for SOC II and SOC Cybersecurity audits and attestation. For airports, we can help manage internal risk through NIST 800-30, NIST 800-53v4, NIST Cybersecurity Framework, CIS CSC, and ISO 27001:2013 preparation and remediation as well as with advisory services on contract engagements to ensure third-party compliance and attestation.

If you would like more information regarding our services, please contact us at (267) 888-8022 or email us at


Ransomware at Louisville Regional Airport Authority

Airports were once again subject to ransomware attacks this week as the Louisville Regional Airport Authority (the managing entity for Louisville Muhammad Ali International Airport and Bowman Field) fell victim. The good news in this case is that the attack was isolated, the issue contained, and data restored. Hats off to the team at LRAA for their work! You can read more about this story in the Courier Journal.

As we’ve seen with Cleveland, Atlanta, Bristol, and countless others, airports have become a major target for cyberattack. Not only that, over twenty US municipalities have been caught in similar situations, leading to loss of services and discontinuity of operations. Since over 70% of airports in the US are owned and operated by municipalities, we can expect to see more incidents sooner rather than later.

The LRAA incident shows that there are strategies that can help mitigate the risk associated with these types of incidents. In their case, isolation and reaction time was key: while the event did occur, their teams were able to maintain business operations and restore key systems in an effective manner.

Cybersecurity incidents will happen: it’s only a matter of time. This includes cities, airports, and private companies. What matters is proper assessments, planning, controls, and response plans are in place so that business can continue to operate and there is no risk to the safety of customers and citizens. Unfortunately, without proper plans in place, it’s only a matter of time until incident negatively affects safety. It is imperative that organizations and governments dedicate time to putting plans and measures in place to prevent that from happening.


Ransomware in Baltimore, Cybersecurity, and Municipal Governments

Once again, a major US city has been hit with a ransomware attack that has affected critical city services. On May 7th, the City of Baltimore fell victim to the same affliction as twenty other municipalities this year. A recent article in Vox details the events, however nothing in the scheme is very surprising.

Municipal governments face a daunting task: provide quality services to citizens and, at the same time, be stewards of the revenue they receive. Oftentimes glaring issues, such as lack of cybersecurity controls and risk management, are missed because there are other critical matters that must be attended to or the leadership in municipalities have not been aware of the severe implications that result when these key areas are overlooked.

The federal government has many focused programs on cybersecurity, however this focus can be attributed to their role in protecting our national assets, interests, and borders. As the problems get more local, physical infrastructure and service quality matters more to local leaders as citizens, rightfully so, expect them to. To that end, there are no sweeping federal regulations requiring all the various political subdivisions to comply with standard cybersecurity controls, business continuity plans, disaster recovery plans, or other related systems to help recover from these incidents.

It is imperative that political leaders and municipal mangers take heed of the recent history of ransomware attacks, data breaches, and infrastructure attacks and incorporate sound cybersecurity practices as part of their budgets and business. While the issues as of late have been more annoying than serious, it is a matter of time before one of these incidents leads to loss of life or long-term damage to critical infrastructure.