Part 1 - Modernization of the CISO
The role of the CISO is changing again, and for good reason. In the 80s and 90s, the CISO, or the head security manager focused solely on operations, and operational security activities in user administration, perimeter control, ACL management and password resets. In the late 90s and early 2000’s the role expanded, particularly in larger organizations, to include disaster recovery and business continuity, and software assurance, PKI support, physical security, IT audit management, and data center certification. Even with these extended responsibilities, the role grew bottom-up, retaining focus on information operations and the technologies that run the business.
Over the past 10 years, the CISO has slowly matured into a strategic role in the enterprise, requiring a skill set beyond that of its dinosaur predecessors. Today’s modern CISO is a risk manager, equally conversant in business and technology strategy, thoroughly knowledgeable in customer, product, partner, and vendor management matters all through the lens of information security, information assurance, customer and business protection, policy compliance, law, audit ability, and of course, sustained and reliable operations.
The Digital Enterprise, Innovation, and Threat Trends
The future of the CISO is being defined by the enormous growth of and reliance on digital information by enterprises large and small, the continued drive toward innovation, cost-take-out, and IT-on-tap, and the breadth and depth of security threats and enterprise vulnerabilities in the current economy.
- More digital information, from customer data to intellectual property, being exchanged between consumer and businesses, is being lost.
- Organized crime as the primary adversary. While the enterprise also faces terrorists, hackers, and rogue insiders, these activities are often subsidized and coordinated by well funded, tech savvy, local and international organized crime.
- Intellectual property and larger scale funds transfer networks are the primary targets of attack, where in the past most resources were focused on identity related information. Stolen identity information has flooded the market over the past 5 years, reducing its value on the street, forcing hackers to go up-market.
- A perfect storm of risk to information security. Increased pressures on firms to reduce spending and cut staffing, resulting in more porous defenses and increased opportunities for cybercriminals; the push to “variablize” technology costs through effective sourcing strategies and emerging, yet-to-be complete vetted technology that move data center infrastructure and controls further beyond the enterprise perimeter; and mergers and acquisitions and haste to consolidate policies, cultures, and infrastructures.
- Rising costs of maintaining customer confidence in the internet business and consumer channel in the face of broader and more sophisticated cyber threats.
- Escalating cyber attacks on applications and data/content where security controls are less mature. At the same time, traditional security controls such as anti-virus blacklists are losing their effectiveness, and malware is becoming significantly more complex and difficult to defend against.
- The accelerated move to the cloud by several years, providing both significant security opportunities and security risks yet to be fully understood or implemented.
- Losses from insider attacks and data leakage is increasing, due largely to human errors and to the tremendous increase in unstructured information, giving rise to requirements for data-driven security controls
- Encryption, once viewed as the last line of defense, becomes a must have in storage, web platforms, across networks, you name it. And the further deployment of security technologies that rely on encryption (e.g., desktop encryption, content encryption, message privacy and authenticity) is creating increased risk do to the newness of key management procedures.
- Industry and government regulations are multiplying, but in many cases compliance is not significantly lowering risk or improving security.
The Modern CISO
Over the past 5 years, the CISO has been modernized into a strategic role across the enterprise, requiring a skill set beyond that of its dinosaur predecessors. Today’s modern CISO is a risk manager, equally conversant in business and technology strategy, thoroughly knowledgeable in customer, product, partner, and vendor management matters all through the lens of information security, information assurance, customer and business protection, policy compliance, law, audit ability, and of course, sustained and reliable operations.
5 CISO Strategies for Leadership
1. Become the Security CEO
- Become a fully integrated member of the executive team
- Excel in communication and project management
- Balance strategic, tactical, and technical security requirements
- Understand how to make security a competitive differentiator for your business
- Get out of the ivory security tower and out to the business, your employees, partners, and customers.
- Challenge the defacto information security communities, call for new strategic leadership, set actionable, measurable agendas for the CISO profession and practitioner
2. Enable CISOaaS
- Develop and refine the CISO role into service offerings, some advisory and consulting in nature, some operational - to the lines of business, its partners, and even customers. Transition the CISO from a cost to a cost offset center.
3. Engage at Product, Research, and Industry Levels
- Stop being sold security, and engage security vendors in priority setting
- Understand security product strategies and influence road maps
- Be the security-tone-at-the-top in all technology and service negotiations
4. Be Continuous
- As the boundaries of the traditional enterprise fade into the black, establish programs and system to continually monitor the security health of the enterprise.
- Instead of focusing on distinctive security compliance measures one-by-one, by product, by vendor, or by system, build an integrated security framework of building blocks -- common security controls, best practices, and policies—all positioned to predictably lead to a continuous state of security enforcement and compliance across the enterprise.
5. Engineer Security In
- Demand that information security requirements be mandatory for all service contracts, partner agreements, and technology acquisitions
- Champion security requirements into products, customer interactions, vendor relationships, sourcing decisions, vendor relationships, and information systems.
10 of the Top Information Security Topics in 2010
- Security as a Service
- Malware
- Security Technology Convergence - DAM and DLP
- Data Protection Redefined
- Application Security
- Software Assurance
Action Item: No doubt that enterprise of all sizes, its users, business owners, partners, and suppliers will continue to have a full information security agenda going into 2010. To progress the information security agenda, CEOs, CIO/CTOs must be partners of the CISO and continue with focused determination to find effective information security, risk, and compliance solutions as one of the highest priorities in the coming year.
Footnotes: