What Should the CISO Role Be?
Companies are increasingly hiring an individual to fill the chief information security officer (CISO) position, but they don’t always agree on what the CISO role should be.
First there’s the question of whether an organization needs a CISO at all. But in an age where security and information governance are so vital, that ship has sailed. As long ago as 2012, Gartner analyst Paul Procter wrote, “A CISO is required for any mature business to build and maintain an information security program, support defensibility in regulatory actions, and balance the need to protect the business against the need to operate the business.”
As of 2014, more than half of corporations with 1,000 or more employees had a full- or part-time CISO, according to a Ponemon Institute study. And organizations are continuing to add CISOs—often after a breach, as at Target.
“Enter the CISO—master of distilling lots of ambiguity and unknowns into something remotely resembling a sane risk-based perspective,” writes Dave Shackleford in TechTarget. “In many organizations, whoever performs the CISO role is a direct liaison to the technical side of security. He or she is responsible for translating arcane details into concepts that executives can grasp so that the company can make the best possible decisions in an increasingly complex technology landscape.”
So the next question becomes, what should the CISO do?
To a certain extent, the CISO is now wrestling with the same sort of conflict that the CIO had to start dealing with a few years ago: Are they the person responsible for the nitty-gritty technical work, or are they more responsible for policy? And, as with the CMO/CDO/CIO wars of a few years ago, the CISO is peeling off functions that were traditionally part of the CIO’s job.
One of the issues companies are dealing with now is simply the question of to whom the CISO should report. While traditionally the CISO reported to the CIO, there are a couple of reasons why that might not be a good idea, according to a CISO panel held during the MIT Sloan CIO Symposium, writes Cliff Boulton in CIO.
The CISO role is starting to transcend IT as it also becomes responsible for new technologies such as the Internet of Things (IoT), and with functions such as the security of contractors. “We don’t see a lot of CIOs who want to be responsible for the GPS’ in truck fleets, or smart doors and thermostats,” panelist R. David Moon, CEO of incident response consultancy TriPath Media, said. Some people feel that having the CISO report to the CIO is an inherent conflict of interest because the CIO is trying to reduce costs, while the CISO is trying to improve security.
Another panelist noted that reporting to the board on a monthly basis gets awkward, as the board asks him whether he gets all the resources he needs and what’s keeping patches from being installed faster. “My response is, that is not a question for me to answer; that’s a question for the CIO, because I’m not responsible for patching—that’s the operational element,” State Street CISO Mark Morrison said.Consequently, in the organizations that do have a CISO, a number of them have the CIO and CISO as independent positions, each reporting to the board.
Some organizations take it a step further. Consultancy Booz Allen Hamilton went so far as to have the CIO report to the CISO, writes Eric Chabrow for BankInfoSecurity. “The nature of Booz Allen’s business—advising businesses, the military and government clients on matters regarding national and information security–requires it to demonstrate the importance of security in its operations,” he writes.
CISOs aren’t easy to find, and they can afford to be picky. “Before accepting an offer, some applicants want to be sure the board agrees that breaches are inevitable, and that they need to allocate a high enough percentage of the budget for information technology to security,” writes Nicole Perlroth in the New York Times.
That said, the CISO isn’t an easy job to do. “Chief information security officers have one of the toughest jobs in the business world,” Perlroth writes. “They must stay one step ahead of criminal masterminds in Moscow and military hackers in Shanghai, check off a growing list of compliance boxes and keep close tabs on leaky vendors and reckless employees who upload sensitive data to Dropbox accounts and unlocked iPhones.”
“It can also be difficult to prove one’s worth and demonstrate the business case for security, writes Hadrian Engel, manager of the Security Program Management Team for Veracode. “Traditional ROI models often focus on proving that ‘something bad didn’t happen’ instead of demonstrating that the program is providing value for the company—and therefore deserves higher levels of funding,” he writes.
Consequently, despite its importance, being CISO is seen as a thankless job, according to the Ponemon study. “Many of the chief information security officers who took part in the Ponemon study rated their position as the most difficult in the organizations,” Perlroth writes. “Most of those questioned said their job was a bad one, or the worst job they have ever had.” CISOs often end up leaving after a breach, or even without one. “The job is so pressured that many end up leaving—voluntarily or not—after two years,” she adds. “This compared with chief executives who stick around for 10 years on average.”
<!– [if lte IE 8]>