The latest c-suite executive role to step into the spotlight is the chief information security officer, or CISO. Even more focus was put on the CISO role when, in February, President Obama announced that the US government was planning to hire its first ever Federal CISO.
Obama’s announcement further justified what many organizations were already doing, which was assigning a specialized executive over security issues, instead of leaving them to be handled by the CIO or CTO, whose top priorities are typically a mix of innovation and operations. And, while the CISO is not a new role, it is still gaining popularity in the enterprise.
So, we’re going to break down what it is and why you might need one. Let’s start with defining the role.
What is a CISO?
Simply put, the goal of the CISO is to protect the business at all costs against present and future digital security threats.
Andrew Hay, CISO at DataGravity, said, “The CISO role is a true hybrid role that is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organization to all of its stakeholders.”
And that “all stakeholders” bit is key–the CISO isn’t going to hold court with the executive team only. True CISOs will be working with employees, customers, and other partners as well, Hay said.
SEE: Information security policy template (Tech Pro Research)
Additionally, the CISO role isn’t the typical “vision caster” most people associate with a CXO title. The CISO role is a mixture of strategy/big picture thinking and tactical skills. Most CISOs are coming from an IT security background, so they know how to directly implement and work with the systems they are recommending.
In terms of who they report to, Entertainment Partners CISO John Tooley said that he believes the majority report to specific executives, and not just the CEO. In his tenure, he said he has reported to the CIO and CTO. Other CISOs may report to the COO or the CFO.
What does a CISO do?
In a broad sense, the CISO’s functions revolve around risk–identifying risk, assessing risk, presenting risk, and implementing programs to combat it. The difficulty in the role, Tooley said, is doing these things in a way that makes sense to the business, but is also effective in driving real change.
Identifying and assessing risk are skills that are typically developed as a combination of the training a CISO has received throughout his or her career and the sense of intuition that develops over a long time spent in the industry. Presenting the risk becomes a bigger challenge in that it requires specific communications and sales skills to get other leaders on board with a solution.
“As opposed to other C-level executives, I think there is more of a communication challenge, taking highly technical language and translating it into business value and need. There is also the balance that needs to be struck between empowering employees and securing the enterprise, since insider threats represent one of the biggest security concerns,” said Ari Lightman, director of the CISO Program at Carnegie Mellon University’s Heinz College.
SEE: Tech, privacy and security: A debate we need to have (TechRepublic)
The CISO must champion the organization’s security in all that he or she does, setting security goals and milestones to help measure the success of that strategy. Lightman said some of the day to day functions that comprise the role may include the following:
- Secure the enterprise’s digital assets
- Educate and train employees and the extended ecosystem on security best practices and procedures
- Define and monitor access and permissions
- Hire and train security personnel
- Define budgets for security equipment and training
- Work with other C-level executives to ensure compliance with security procedures
And, that above list is not exhaustive. Ultimately, a CISO’s role will also be shaped, in part, by the needs of the industry they operate in and the needs of their employer.
The rise of the CISO
So, why are we seeing the CISO rise to prominence now? For starters, security is no longer purely a technological issue, and can no longer be constrained solely to IT.
“So there is awareness among senior management now that information security is really a risk issue, and risk is a business challenge that needs broader solutions.,” Tooley said.
Another big issue is growth–there’s just more technology in the workplace than there has ever been before and it’s affecting organizations in new and interesting ways. The addition of DevOps, cloud, IoT, BYOD, and big data mean that the attackable surface is growing as well, and it needs a guardian.
“As a result, industry guidance, regulatory compliance standards, and the realization that security is a key component in business continuity and operational excellence, has led to the realization that the safety, security, and compliance of a company’s IT and information assets require an advocate at the highest level,” Hay said.
The 3 big takeaways for TechRepublic readers
- The CISO is an executive role that combines technical expertise with strategic vision to champion a security strategy for an organization.
- The CISO is responsible for acknowledging, analysing, and presenting risk. The communication of risk requires specific skills to help “sell” the solutions to mitigate against potential threats.
- The role itself is growing because the breadth of technology being implemented in business continues to grow. A CISO must understand how security risks affect the bottom line as well how they impact IT operations.