Information Security Today Home

New Books

The CISO Handbook: A Practical Guide to Securing Your Company by Michael Gentile, Ron Collette, and Thomas D. August; ISBN 9780849319525
The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture by Kerry Ann Anderson; ISBN 9781482220070
CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives by Ron Collette, Michael Gentile, and Skye Gentile; ISBN 9781420089103
CISO Leadership: Essential Principles for Success by Todd Fitzgerald and Micki Krause; ISBN 9780849379437
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits by James S. Tiller; ISBN 9781439880272
The CISO Journey: Life Lessons and Concepts to Accelerate Your Professional Development by Eugene M Fredriksen; ISBN 9781138197398

What Is the Role of a CISO?

By Andrew Wild, CISO, Lancope

Lancope recently appointed long-time information security and risk management professional Andrew Wild as its new chief information security officer (CISO). Wild has spent over 25 years developing effective, customer-driven information security, incident response, compliance and secure networking programs for IT and security organizations. Here he discusses the role of the CISO, how it has changed over the years, and what tools and skills a CISO needs.

1. What is the role of a CISO--what are they expected to do, what should their role be? Is this technical? Can a non-technical person hold the position?

The role of the modern day CISO is to provide the leadership and guidance necessary for an organization to manage the risks to the confidentiality, integrity and availability of the organization's intellectual property and information technology assets. The role has evolved from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc.) to a consultative, business process aware, risk management professional. The CISO's role change from IT security technology solutions expert to enterprise risk management executive requires a risk based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security. That's not to say that security controls aren't important, because they are, but, from the top down, the focus needs to be on risk management. A critical component of implementing a successful risk based approach is the building of strong relationships with the business units within an organization, and approaching the business units in a consultative manner to offer assistance and guidance. Whereas past CISOs were required to possess strong technical knowledge, today's CISO requires consensus building, influencing, and strong communication skills.

2. How Has the CISO Role Changed over the Past Two Years?

As explained above, the role has changed from a manager of IT security technologies to a risk management executive. This change is result of an increasing awareness that preventative security controls cannot be 100% effective, and increased interest in information security by corporate board of directors. There are several reasons why the board level interest in information security is rising, but the two main reasons are the SEC's guidance requiring that publicly traded companies disclose material information about information security events, and the never ending headlines about data breaches. Both of these are viewed at the board level as risks that should be managed, and they are driving changes in how organizations manage and implement information security. One consequence of the increased attention at the board level to the information security impact to overall risk is that the C suite is more aware and focused on information security in many organizations. The board level interest requires a risk based approach, and CISOs must adapt and embrace this and move away from a security controls focused approach to information security.

3. What Tools and Skills Does a CISO need?

A critical component of implementing a successful risk based approach is the building of strong relationships with the business units within an organization, and approaching the business units in a consultative manner to offer assistance and guidance. The risk based approach should begin at the start of any effort, including information security risk as a consideration when solutions, products, and projects are in design, review and implementation. Another important point about moving towards a risk based approach for information security is determining who "owns" the risk. Ideally, the business unit that owns the project, process, solution or product will own all of the identified risks associated with it. This is where the security chief's influence and consultative skills come into play; the security chief will provide guidance and direction about how the information security risks can be mitigated or reduced through the use of information security controls. The security chief and his organization may end up owning the implementation of the security controls selected to mitigate the risk, but fundamentally, the risk itself is owned by the business. The migration from a security controls based approach towards a risk based approach can be a difficult transition, as a step in this process may require the re-evaluation of all existing security controls to identify the risks the controls are designed to mitigate, and include evaluation of the control's effectiveness and cost efficiency compared against the potential loss exposure associated with the risk. In the long run though, having the security controls mapped to the risks they are designed to mitigate can bring more transparency and understanding to the information security budget.

Some CISOs try to communicate with the C suite and board using information security terms, as opposed to what the C suite and board really wants to know, which is "Are we managing the risks adequately?" Often, security chiefs will present detailed charts with metrics explaining the effectiveness of the security controls, and while that can be a component of the message; the real content should be focused on the risks themselves, and not on the security controls. Communicating with the board and C suite about the risks is part of the transition I mentioned earlier moving from a security controls focused security program to a risk based program. The C suite and board need to understand how well the organization's risk management program is functioning, and providing a chart that indicates how many malware incidents were identified and remediated over time may not be the right metric to share.


 
Subscribe to Information Security Today






Share This Article

Bookmark and Share


© Copyright 2015-2017 Auerbach Publications