The Chief Information Security Officer (CISO) role is undergoing big change in many organisations. Driven by high-profile breaches, a greater appreciation of the true value of information assets, more vulnerabilities such as those on mobile and in the cloud, more sophisticated threats such as APTs, and a close link between digitisation and cyberspace and the success of the enterprise. There is concern in boardrooms about potential catastrophic reputation and revenue loss from cyber incidents. No board wants to be the next Target, Sony Entertainment or Anthem. With the viability of the entire organisation at stake, the CISO is now a critical member of the senior team.
Traditionally, the CISO appointment was to those who rose up through the ranks of IT or information security, by excelling in technical controls. In the past, the head security person was typically the technical infosec expert in the organisation, with deep knowledge in areas such as firewalls, access control, network security, vulnerability scanning, and in a thousand acronyms such as IDS, AV, PKI, SDLC, VPN, AES, DMZ and TLS. Most enterprises have now realised that information security is a lot more than just technical controls.
In addition to having an excellent appreciation of technical controls, today’s CISO is involved with aspects such as information security governance and strategy, security policies, standards and procedures, compliance, security architecture, security metrics, risk management and incident management. She gets involved with ALE, BIA, COBIT, BCP, CMM, RTO, EF, ISO, KGI, KRI, ROSI and DRP. The CISO now understands the role of information security in achieving business objectives. Today’s CISO needs to be an excellent communicator at board and senior management level.
Changes in the role of the CISO are most noticeable through:
• The highest positioning on the organisation chart. Rather than reporting to the CIO, it is now far more common for CISOs to report either to the CEO (36%) or directly to the board of directors (32%). At Booz Allen Hamilton, the CIO reports to the CISO. Elevating the role to a direct board report, illustrates the criticality of the role and the board’s need to be regularly informed of significant risks. In the event of a security incident which can impact reputation, the board demands a senior person take charge. Direct board reporting also circumvents the issue that the CIO and CEO have performance objectives which can act contrary to security.
• A clustering of diverse security assets in a single role. Physical security for example, is becoming commonly grouped with traditional information security, as many threats are better dealt with holistically. Because of this, in some enterprises the job title is CSO rather than CISO.
• A dispersion of security responsibility and accountability. Rather than security being a priority for the few infosec specialists within the organisation, it is the CISO’s role to ensure that all staff members are aware, responsible and accountable for the security which touches their jobs. Communication is now a large part of a CISO role.
Due to these role changes, there has been a suggestion that perhaps organisations require two CISOs – a traditional one with deep technical knowledge, and the other focussed at a strategic level. My view is that one CISO is the ideal, and the incumbent must combine two diverse skillsets – wide technical information security skills, plus strategic level skills (such as information security governance, risk management and high-level communication skills). Strong technical security knowledge provides credibility. The individual must be independent, decisive and take charge, be able to quickly focus on the kernel of a security matter, and of course be able to handle stress. A capable, experienced person with these characteristics and combination of skills, is of huge value to organisations.
With the growing importance of the role, and $1m+ p.a. salaries, there has never been a more exciting time to be a CISO.