Not too long ago, people thought of the chief information security officer (CISO) – if there was one in the organization – as the individual responsible for cleaning up computers, setting password policies and administering the firewall; basically one of the IT guys. They also found that the CISO said ‘no’ a lot of the time. However, the recent economic downturn and the increasing risk of security breaches, some of which have brought about the demise of a company, has resulted in information security and cyber threats being elevated to a C-suite issue.
The Changing Role of the CISO
Through harsh reality, the CISO role has expanded and become much less about technical bits and bytes, and much more about strategy and big-picture thinking. The CISO is now required to play their part alongside C-suite colleagues helping to decide how the organization does business.
While the elevation of the CISO to a true executive role is a welcomed trend from my perspective, a more worrying one is the inability of the CISO community to step up to the challenge provided to them. The role of the CISO has evolved to one of high-level business risk management where the answer ‘no’ – although on some occasions the right answer – will not always be tolerable for executive management.
The role of the CISO has become that of a true business leader first and foremost, whose specialist understanding is technology and information management. CISOs are required to forge strong connections between other departments specifically on issues of wider information-based operational risk, which should operate pervasively and proactively across all departments within an organization.
Improve loss prevention and you will have demonstrably helped the CFO and COO. Improve investigation and incident management processes and you are assisting human resources, legal, auditing, and so on. In this we need to learn from the successes of our physical security counterparts and the business continuity community, who are readily accepted into all parts of the organization.
Continued ambivalence and intransigence toward moving beyond the technical realm often hampers our ability to truly transcend the new heights expected of the information security profession. This, in turn, raises the question: Do we need to look at our talent pool and identify where the next generation of CISOs will come from?
A Vision for the Future
Can our existing industry professionals truly move through the ranks of technical management to business management, or are the skill-sets too disparate to join together? Without being ageist in any way, are the emboldened among our industry able to change their ways to operate at the C-suite level, or is a changing of the guard necessary to deliver on what is demanded of us by our CEOs?
This calls into question what is being taught to new entrants into the profession and what skills they need. A simple straw poll would indicate that most CISOs would not understand terms such as gearing ratios, weighted average capital cost (WACC) and net present value (NPV). Nor would they be able to document a three- or five-year strategy and business plan with total cost of ownership (TCO) and return on investment (ROI) readily calculated.
Indeed, given that we have spoken techno-babble to our boards for the past 30 years, is it not time for us to learn to speak their language for a change? Are business skills and not technical skills the major driver in the future?
Not only is this surely the case, but furthermore the lingua Franca that will enable CISOs to truly engage with the C-suite is the language of risk management. Businesses exist to make profits, and to make profits businesses accept risks every day they operate. If we are truly serving the needs of the business, although we must go into things with our eyes wide open, we need to become risk tolerant rather than risk averse.
In doing so, this will require us to re-examine how we educate our industry in business skills and, primarily, ensure a focus on the next generation of information security professionals.
A vision of a new breed of CISO, comfortable in the confluence of business and technical skills, is the end-state. Through achieving this confluence of skills, as an industry we may be able to finally sell the benefits of what we do to our boards. Furthermore, through our understanding of risk management rather than policy-based compliance, the CISO could actually transcend further, to be recognized as a true business strategic leader of the future, operating extensively outside the traditional comfort zone of IT.
This is only a vision, yet as a profession we are at a significant crossroads. If we are unable to meet this challenge head on, we may, in effect, actually dig our own graves and have the ‘C’ title so many of us enjoy removed, relegated back to the position of IT security manager. Our gravestone and epitaph will then simply read: “Here lays a CISO – the CEO said no”.
Mark Brown is a director in Ernst & Young’s UK & Ireland Risk Advisory team and leads the Information Security practice. He has 19 years of operational experience in this field. Brown assists clients with the development of security strategies, transformation programs, privacy, data loss prevention, business continuity management, information security control governance frameworks, and the design and implementation of IT controls.