Andrew Wild is the new chief information security officer (CISO) at US IT security product company Lancope, Inc. He writes on the role of the CISO, how it has changed over the years and what tools and skills a CISO needs.
What is the role of a CISO–what are they expected to do, what should their role be? Is this technical? Can a non-technical person hold the position?
The role of the modern CISO is to provide the leadership and guidance necessary for an organisation to manage the risks to the confidentiality, integrity and availability of the organisation’s intellectual property and information technology assets. The role has evolved from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc) to a consultative, business process aware, risk management professional. The CISO’s role change from IT security technology solutions expert to enterprise risk management executive requires a risk based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security. That’s not to say that security controls aren’t important, because they are, but, from the top down, the focus needs to be on risk management. A critical component of implementing a successful risk based approach is the building of strong relationships with the business units within an organisation, and approaching the business units in a consultative manner to offer assistance and guidance. Whereas past CISOs were required to possess strong technical knowledge, today’s CISO requires consensus building, influencing, and strong communication skills.
How has the CISO role changed over the past two years?
The role has changed from a manager of IT security technologies to a risk management executive. This change is result of an increasing awareness that preventative security controls cannot be 100% effective, and increased interest in information security by corporate board of directors. There are several reasons why the board level interest in information security is rising, but the two main reasons are the SEC’s guidance requiring that publicly traded companies disclose material information about information security events, and the never ending headlines about data breaches. Both of these are viewed at the board level as risks that should be managed, and they are driving changes in how organisations manage and implement information security. One consequence of the increased attention at the board level to the information security impact to overall risk is that the C suite is more aware and focused on information security in many organisations. The board level interest requires a risk based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security.
What tools/skills does the CISO need?
A critical component of implementing a successful risk based approach is the building of strong relationships with the business units within an organisation, and approaching the business units in a consultative manner to offer assistance and guidance. The risk based approach should begin at the start of any effort, including information security risk as a consideration when solutions, products, and projects are in design, review and implementation. Another important point about moving towards a risk based approach for information security is determining who “owns” the risk. Ideally, the business unit that owns the project, process, solution or product will own all of the identified risks associated with it. This is where the security chief’s influence and consultative skills come into play; the security chief will provide guidance and direction about how the information security risks can be mitigated or reduced through the use of information security controls. The security chief and his organisation may end up owning the implementation of the security controls selected to mitigate the risk, but fundamentally, the risk itself is owned by the business. The migration from a security controls based approach towards a risk based approach can be a difficult transition, as a step in this process may require the re-evaluation of all existing security controls to identify the risks the controls are designed to mitigate, and include evaluation of the control’s effectiveness and cost efficiency compared against the potential loss exposure associated with the risk. In the long run though, having the security controls mapped to the risks they are designed to mitigate can bring more transparency and understanding to the information security budget.
Some CISOs try to communicate with the C suite and board using information security terms, as opposed to what the C suite and board really wants to know, which is “Are we managing the risks adequately?” Often, security chiefs will present detailed charts with metrics explaining the effectiveness of the security controls, and while that can be a component of the message; the real content should be focused on the risks themselves, and not on the security controls. Communicating with the board and C suite about the risks is part of the transition I mentioned earlier moving from a security controls focused security program to a risk based program. The C suite and board need to understand how well the organisation’s risk management is functioning, and providing a chart that indicates how many malware incidents were identified and remediated over time may not be the right metric to share.
