Chief Security Officers Get Down to Business


As organizations see IT security within the larger context of risk management, so too is the role of the chief information security officer (CISO) taking on greater significance. Fewer and fewer CISOs have technical backgrounds, and many are moving to a more proactive footing where they seek to influence corporate strategy.

"I am an ex-CISO myself, and came from the technical route," says Andrew Rose, principal analyst with Forrester Research. "But now CISOs are so business focused, and they can rely on their organization’s technical staff."

Rose argues that the new generation of CISOs is more comfortable around the board table than tinkering away in the server room. In fact, if senior technical specialists think they will naturally move from a tactical technology focus toward the CISO position, without having to engage in a strategic view of the enterprise, they’ll be in for a surprise.

"You need to be able to understand risk, business engagement, and change and process management," says Rose.  "Now the trend is accelerating with more of a CISO focus on privacy management, long term business impact, audits, and perhaps even physical security."

As a result, the role is increasingly being filled by executives with no technology background. CISOs are still required to ensure that expectations are being met on the technical side, but they must also mediate acceptable risk with a view to business requirements.

"It is true that non-security folks are stepping up," says James McCloskey, a senior analyst at Info-Tech Research. "The requirement for a more holistic view, and one that does not focus on specific technologies, means that we are now seeing CISOs with legal or audit backgrounds."

McCloskey says that risk management skills are often not well-developed internally, which means that many organizations must source externally to fill a CISO position. When they do that, they should seek someone whose abilities and personality will complement existing security staff.

Keeping Risk Real

Real time analytics are making information and risk management increasingly sophisticated, but also highlight the unreasonableness of a zero risk profile. Gartner’s chief of security and risk management, Paul Proctor, has argued that adaptation means having a more clearly defined understanding of managed risk. For his part, McCloskey from Info-Tech says that effective management requires a combined understanding of unique requirements and more general protocols.

"Every organization is unique in its risk tolerance," says McCloskey. "It depends on the threat profile, the industry, the types of technology, customers. That said, ISO 27000 can provide a structured approach, as can the OCTAVE suite."

OCTAVE, which stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, was developed over a decade ago, and includes techniques for assessment and planning.

"It helps with an understanding of the threat landscape," says McCloskey. "There is a methodology that CISOs can use for an organization to come up with their own controls."

Even with the rigor afforded by OCTAVE or ISO 27000, a CISO can still play a major educational role within an organization. Often, the tradeoffs are relatively straightforward: A bigger investment will reduce a risk profile, and a decision to save money will increase it. With that in mind, however, a CISO must call upon other C-suite executives to step up to the plate and decide what risk posture is acceptable relative to a reasonable investment.

"It is all about cost-benefit and risk appetite," says Rose from Forrester. "A CISO should be able to flag things and say 'This is our silver option, and this is our bronze option. Which one do you want to go for?' From there, the board should be able to get their heads around it."

The CISO in the Cloud

With data protection as a top priority, and an explosion in security endpoints and challenges with BYOD, CISOs will be looking for someone else to address technology issues as they shift their focus to business engagement. With that in mind, the cloud presents real opportunities for CISOs – and a few challenges, too.

"Everyone is interested in cloud, but there are differences among industries," says Rose. “Finance and healthcare are reluctant to take the step, with 40 percent of those organizations stopped or stalled due to security concerns. However, for smaller organizations moving to the cloud will probably increase security."

Which means that these organizations can compete against the big guys while, in effect, outsourcing a chunk of the CISO role to service providers. Enterprises can then focus more on spending to ensure business growth, and less on compliance.

"The FedRAMP standard for cloud adoption is making a big difference," says Rose.  "So are products like CipherCloud."

And with regard to BYOD, investments in mobile device management and encryption mean that enterprises can keep their attention on larger security control issues, while also ensuring that their workforce is aware of acceptable use policies.

"Overall the awareness of information security challenges has risen," says McCloskey. "Now I have become an advocate of how the CISO discipline actually needs more actuaries."

That's a big indication of how things have changed, and how the role of the CISO, and the larger issue of risk management, has moved well beyond the nuts and bolts of IT security. Instead, it has become embedded in 21st century business processes, and reflects an ongoing and dynamic risk environment.

A graduate of McGill University, Timothy Wilson joined IDC Canada in Toronto as a research analyst in 1997. In 2000 he began T Wilson Associates and continued to consult for research companies, as well as working directly with large vendors such as Microsoft and SAP. Throughout his career Timothy has contributed to the IT, trade and mainstream press. He has lived and worked in Latin America and is proficient in Spanish. He has received a first place CBC Literary Award and a Gold National Magazine Award for his non-fiction writing.