The position of Chief Information Security Officer (CISO) has become well established in recent years, but where is it heading next? For many it is often perceived as an inward directed role more accustomed to saying ‘no’ than anything else. But is this really fair and does it represent the modern CISO?
Most organisations are under intense pressure to be flexible as well as secure to protect their own assets as well as the privacy of customer data. Going forward, a more pragmatic approach has to blend the agile needs of the business with the continuing challenges of security.
All organisations like to base success on results. Part of the challenge is that when some initially look at what this means for security, it is often about preventing things from happening (bad things), rather than doing good things for the organisation. While this may still be true, it is not a great yardstick for encouraging best behaviours and attitudes. It runs the risk of fostering inaction and retrenchment, rather than moves in a positive directions.
The term ‘Next Gen CISO’ might not be entirely new, but it surfaced again in a recent discussion with LogMeIn CISO, Gerry Beuchelt. This revolved around the evolving relationship between business and security and how by changing behaviours CISOs can add real value to the business as well as keeping it safe.
So what are the attributes of a Next Gen CISO?
The first attribute that a Next Gen CISO needs is to be outward looking. It helps of course to be acutely aware of the challenges faced by other organisations and changes in the market landscape. However, the outward looking CISO needs to be much more than that. They need to be able to engage with, and understand, their organisation’s customers. This should involve working alongside the sales force and channel partners. Why? To understand and appreciate the commercial challenges of any organisational security issue it really helps to see the impact it has on customers.
Risk in context
This outward perspective assists with another attribute for the Next Gen CISO, awareness of the business reward/risk spectrum. Good CISOs will already understand the risks being faced by their organisation and be aware of their vulnerabilities. But it is rarely their responsibility to decide if those risks are worth accepting, depending on the consequential impact on the business. Nor is this a decision for those who do have the business responsibility to take, without being fully aware of the facts.
The Next Gen CISO should be able to present the risks and consequences of different actions (or inaction) in the context of the consequences they will have on the business. It is no good simply presenting information about speed of patching, number of phishing attacks or level of malware exposure. These may be relevant performance indicators within the security function, but mean little in the context of the business overall. Neither should CISOs hide or diminish the risks being faced. The important thing is to make clear and transparent the impacts that different security issues will have on specific aspects of the business. This is about putting security and risk into a clear and understandable business context.
As well as reaching out to customers and fellow C-level staff, the Next Gen CISO needs to be able to engage with employees from across the organisation. Security is not a pinpoint issue that affects only certain individuals or business processes. All roles have some element of security and risk for which they have to accept some responsibility. It might have seemed fine at one time to focus this in the hands of one individual, but that is too onerous. The risk then is the default reaction is that individual would be overly defensive and too often say “no”.
The Next Gen CISO needs to be able to understand business progresses and empathise with the challenges faced by those that undertake them. This helps spread involvement and understanding of the importance of security and what everyone needs to do, to the widest possible audience. By reaching out and engaging with fellow employees, the Next Gen CISO is also extending their threat intelligence and impact assessment information network.
Building understanding and changing behaviour towards security across the organisation then becomes a realistic goal. But this is rarely accomplished with tick box assessments or tedious training courses. Computer based training can play a part in building awareness, but risks downplaying the importance of specific security threats. A Next Gen CISO will enthuse and engage using more pervasive training models. These will include simulation and live role play to ensure the security message hits home and remains embedded in the organisational culture.
The CISO role may be built around information and security. But it is delivered through a passion for protection that aligns and fits closely to the needs of the business. The Next Gen CISO needs hybrid attributes to which many management roles should aspire. That and an ability to assess the value of technical aspects, with a realisation that success will depend on human ones.