The role of CISO has evolved in the last five years from one of IT security administration to high-level risk management. Here are four perspectives on how and why it happened and how you can go about doing the job effectively today.
The role of chief information security officer is not what it was five years ago. According to those who find themselves in the role, that's not necessarily a bad thing.
It used to be that CSOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that's still the role some CSOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable.
Also see "What is a CSO, part two" for a look at the CSO as a business enabler
In an ideal world, today's CISO hires someone else to handle all those technical tasks. Of course, the question is whether you can inspire them to do what you once had to do or if you'll turn them off with an attitude of superiority.
We reached out to several current and former CSOs and CISOs -- and a few analysts who have worked with them --for a look at what has changed from their vantage point and what a security exec must do to survive in the job today. What follows are four perspectives.
Related podcast: "How to become the 'new CSO'"
Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services
On how the position has changed for the better: In 2006 I was the only person running an enterprise security organization in Catholic healthcare that held an executive position. Many of the people I ran into that were leading security, whether traditional corporate security or information security, were essentially senior managers with fancy titles, rather than junior to mid-level executives. Really the only place this wasn't true, in general, was in the financial and defense sectors. In fact, if you look at who the original thought leaders of security were, you see them coming out of those sectors very strongly. Today that is no longer true. I have peers in Catholic healthcare who are vice presidents of their organization. More importantly, almost all large corporations (Fortune 500 as a definition for large) are hiring a VP of information security or something equivalent.
Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business. The CSO leads the security function within the business and that function is now viewed as a necessary function within the business, rather than something to be given lip service to keep the regulators away but otherwise ignored. This is a significant and powerful change, in my opinion.
On how the position has changed for the worse: I think that there is a lack of understanding of who is responsible for security and how the function is divided up in the business. I think CSO/CISO types do themselves a disservice when they publicly proclaim that "everyone is responsible for security." My question would be "why do we need you, then?" That would be like the sales leader of a company like Symantec saying that "everyone at Symantec is responsible for generating sales revenue". In a way that's true, but who sets the tone, direction and strategy? The SVP of global sales (or whatever the title is). I see security practitioners giving away their accountability, authority and scope on a daily basis. I think that I see a gap between the people who are skilled and capable and able to lead the security function of a large company and the people actually doing it. The bad guys have gotten smarter and so the worldwide call to arms that the cyber attacks of the early part of the 2000's led to are no longer present. Unfortunately, the costs are much higher now than when they were just defacing websites and launching virus attacks.
On what kinds of CSO training courses are a must-have today: I would get a degree in business management. I came into this area by way of the military, and many of my peers and friends came in via the military or law enforcement. I didn't really know how to lead a department in a business, understand budgets, headcounts, margin, net operating income, top line, bottom line, etc. What I knew how to do was secure things from bad guys. In an organization like a police force or the army, the budgets, headcounts, etc., are usually not in the hands of the practitioners who later become CSO/CISO type folks. So, we learned how to do the work, but not how to run the business. I learned how to run the business through a lot of hard knocks in the companies I worked for after the Army. I think the next generation of CSOs will not have that luxury.
Jason Kobus, San Francisco-based security and privacy program manager for a financial institution
The job today is mostly about knowing how to prioritize. This boils down to understanding your business' risks and applying risk mitigation with the right recipe of people, processes and technology. Your C(I)SO program portfolio should be a mixture of tried, true, and stable investments, with a touch of cutting-edge technology where your gut tells you the vendor is on the right track. To avoid board room ridicule, the savvy C(I)SO must apply business fundamentals like project management (to produce tangible results and manage resources effectively) and cost-benefit analysis (to justify decisions). Decision making should be based on industry research (Gartner, Forrester), comparable analysis (what are my peers doing?), and directly engaging your stakeholders (be your own consultant instead of relying on second-hand sanitized reports). Lastly, you'll need to become a student of organizational behavior and good GRC practices to survive the inevitable pressure from the business to accelerate faster than your security can assess the risk.
I'm responsible for physical security, info security and risk mgmt at my company and I've definitely seen a shift from infosec to risk management. Everything now is approached from that perspective. Regulatory agencies are pushing towards enterprise risk management programs that encompass far more than just infosec, so my role has broadened. The arrival of cloud computing has put more spotlight on vendor management practices, most notably contract language (whether you use cloud computing or not). Metrics have gained a lot of interest. The interest in this area surrounds metrics that are meaningful at all levels from staff to line management, to business unit management, to exec management, to board level. The CSO role is following the same path as the CIO/CTO role did years ago. I remember watching that role evolve. Other C-level players came to realize over time the value that a CIO/CTO could bring to the exec table, so that role matured to what it is today. I believe that the CSO role is following the same path overall and that other C-level execs will continue to learn what a CSO can bring to the table as that role matures.
What has improved and what has not? Certainly the regulatory pressure to move towards enterprise risk management has helped broaden my sphere of influence. Continued breaches have kept security at the forefront. The fact that security is largely viewed as a cost center rather than a profit center has not changed. That will continue to keep the budgetary flow checked. Also, the pace of change for the business has not changed. It is still vital that the security position itself act as an enabler in business processes so that you are not delaying progress. What you need to do going forward to have success? Clearly theres no simple answer here and theres a long list of things one could do:
1. Embed security in key business processes -- too difficult to play clean-up/catch-up. Security needs to be involved in bringing new apps on board; contract negotiations; new third-party relationships; new technology infrastructure; BCP/DR; strategic planning; etc, etc.
2. Communicate clearly and openly -- other groups need to be comfortable that security is in the processes above to add value. You must communicate to your peers what you can bring to the table.
3. Metrics/Reporting -- Security will need to be able to show the positive impact from their involvement. What security metrics tell that story? What metrics will you communicate to each level? Each audience needs different metrics so they focus in the right place.
On whether or not the role is too limiting: I don't believe the position itself is limiting. While we experience some frustrations with getting everything we need to do done, that's really no different than our peers in development, operations, etc. Most of our work is a question of prioritization and competes directly with all of the rest of the pool of work that needs to get done. That said, a CSO/CISO needs to have a seat at the prioritization table (both visibility and equal weight, which gets into the next question).
On who he reports to: I currently report into the general counsel, but have also reported in to the CIO/CTO as well as the COO in the past. I'm not certain any of these reporting relationships are better or worse than others. As mentioned above, I think visibility and access are key to getting things done as a CISO. Do you have access and influence within the senior leadership team, board of directors, audit committees, etc.? Obviously, being buried somewhere in the bowels of the technology organization won't give you this access and will make things very difficult. As to whether or not reporting into the GC or CTO or COO was better or worse, that was largely about the qualifications and personalities of the people holding those positions rather than the organizational position itself. All that said, if you end up with the seat at the table, you better be able to speak the same language as those around you and not get buried in the technology weeds. If you start going on and on about the details of a CSRF vulnerability with the board of directors, you'll obviously get pushed right back down into the deep, dark woods of the tech org.