Share

Related Stories

  • Technical Skills Not Important for Future CISOs Declares Forrester
    In a session titled ‘Becoming the Future CISO’ at the Forrester Forum for CIO’s in London, England, June 6 2013, Andrew Rose declared the current role of CISO a dying breed.
  • Facing growing threats, CISOs need tighter board-level talks
    As cyber-risks continue to evolve in sophistication and complexity, and as cyber-espionage becomes a more common reality, information risk has been making its way onto the boardroom agenda. According to the Information Security Forum (ISF), chief information security officers (CISOs) need to engage with their boards to ensure their organizations understand and manage information risk appropriately while delivering on their strategic objectives.
  • CISO: Chief Infosec Scapegoat Officer
    CISOs are often the first victim following a major security breach. Given the prevalence of such breaches, the average tenure of a CISO is now just 18 months; and this is likely to worsen if corporate security doesn’t improve.
  • CISO roles expanding to encompass risk management approach for enterprise security
    The role of chief information security officers (CISOs) is expanding, shifting from a focus on information security programs to a holistic risk management approach that encompasses not just IT administration, but also strategic thinking that understands and influences business risk decisions affecting everything from developing privacy policies to preparing disaster recovery plans.

Top 5 Stories

News

Hampered by image problems, CISO roles require transformative approach

11 June 2013

By examining how IT and information security have adapted over time, Gartner analyst Paul Proctor explained why CISOs and risk management professionals must change their roles from “defenders” to that of risk assessment advisers to grapple with future threats – and save their own reputations.

Adjusting to new realities has been a hallmark for information security professionals over the past few decades, and it’s a lesson that will serve them well going forward explained VP and senior analyst, Paul Proctor, during the opening keynote at this week’s Gartner Security and Risk Management Summit in National Harbor, Maryland. The “adapt or die” mantra is hardly a new recommendation, but it still applies in a world of rapidly changing technology.

Proctor, who is the chief of security and risk management research for the analyst firm, was joined by fellow Gartner analysts Christian Byrnes, John Wheeler, and Andrew Walls, as they walked the audience through security and risk management’s past, present, and future. The real-time collection of information, and the pervasiveness of continuous analytics, are both the present and future of information management – and the problems these pose to information security professionals will only expand as this process accelerates, Proctor noted.

“A past that demonstrates adaptability. A present that challenges. A future that defies any reasonable expectation of managed risk”. This is how Proctor characterized the current challenges facing security practitioners. “What we’ve learned from the past is that our profession has always had to adapt – and we have.”

The Gartner analyst then listed four scenarios, based on the firm’s insights, that organizations will experience over the next decade: regulated risk (governments leveraging regulation to protect enterprises and itself); coalition rule (continued attacker focus on the enterprise, with de-emphasis on central authority as rules and regulations are seen as ineffective); the controlling parent (the government will step in to protect the individual); and the ‘neighborhood watch’ – or anarchy (decreasing regulation signals that government intervention will not materially impact the targeting of individuals).

“If these scenarios seem extreme”, Proctor continued, “we have evidence that each and every one of them is happening right now”. He said organizations need to take pause and consider the combinations that affect them.

“There is no such thing as perfect security”, he added. “Risk posture is a choice – you can either spend more money and experience less risk, or spend less money and experience more risk”. Each choice influences organizations’ plot on the “four points” continuum and depends on these money vs. risk assessments.

“Choosing to save some money and incur more risk is a legitimate business choice”, Proctor said. “CISOs are their own worst enemy when they position themselves as the defenders of the organization because it lets executives escape accountability. The failure is allowing the executives to live there without making a conscience choice.”

The solution to this common problem, he asserted, is for CISOs to stop begging for additional budgets, and instead to explain the risks clearly, and require that their executives make these risk-reward decisions based on the information provided. “Explain this reality to the decision makers, and ask them to commit to their choices about where they want to live on this continuum”, he implored. “CISOs must have the ability to translate [these risks] into reality”.

Proctor reiterated that the role of a CISO is not to defend an organization, nor did he claim that CISOs and their equivalents should take a passive role in the decision-making process. “We are the facilitators of a balance”, he said, “between the needs to protect an organization and the needs to run the business”. It is through this strategy that CISOs and risk management professionals can be viewed in a more productive light, rather than as convenient scapegoats when a security incident occurs.

The Gartner VP also touched upon a common refrain often found at such industry events: the need for CISOs to understand business requirements and become enablers. “You don’t have to go to business school”, Proctor told the audience, “but you need to understand your own business”. And because there is “no such thing as perfect security”, he reiterated, it is the job of the CISO to convey this to their board.

“You don’t control the threat”, he concluded, “but you do control the organization’s readiness”.

This article is featured in:
Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×