CISO Then (2003) and CISO Now (2013)

Ten years ago, we were returning our VHS tapes to the video store, rewound to avoid extra times have changed, and changed yet again
Ten years ago, we were returning our VHS tapes to the video store, rewound to avoid extra times have changed, and changed yet again

It is only when we examine technology evolution over the past decade that we realize how much times have changed. Ten years ago, we were returning our VHS tapes to the video store, rewound to avoid extra fees. We drove to our summer destinations unfolding large maps in the passenger seat, making wrong turns and missing freeway exits. We assumed bringing our clothes on a trip was included in the price of an airline ticket. We never seemed to have a camera or camcorder with us for taking that great shot, and the round, portable CD players were almost as ‘cool’ as a rare $9,000, 50-inch flat-screen plasma TV. In 2003, a cell phone was used only to make a phone call or send an SMS.

Just as technology has evolved, the chief information security officer (CISO) role has changed significantly over the past decade. “I don’t recall if ‘CISO’ existed 10 years ago”, remembers Jon Ceraolo, CISO at 3Cinteractive. The CISO role was, and still is today, filled by people holding titles ranging from information security administrator to vice president, officer and CISO.

Those 500 plus Monday mornings presented different issues over the years, and each contributed to the perception and practice of the CISO role as it is today.

The early 2000’s were comprised of increased security regulations designed to close gaps in multiple vertical markets, such as the protection of Federal government records, financial customer records (Gramm-Leach-Bliley Act Safeguards Rule, 2002), healthcare records (HIPPA Final Security Rule, 2003), critical infrastructure (Homeland Security Presidential Directive HSPD-7,2003) , financial reporting (Sarbanes-Oxley Act, 2002) and payment card processing (Payment Card Industry Data Security Standard, 2004). In addition, there were accompanying privacy-focused regulations, including breach notification laws and the European Union E-Privacy Directive (2002), the latter of which continued the significant work of the EU Data Protection Directive (1995).

As systems became more automated and information became more aggregated, there was growing concern by regulatory bodies that the information was not being adequately protected. Newspaper headlines of data losses were causing the C-Suite to ask the questions, could this happen to us? Are we secure? Will we go out of business if we’re breached?

Ask IT

The problem for many organizations prior to this period was that the information security role was still predominantly viewed as an ‘IT thing’, providing logon IDs, passwords, systems access and maybe some disaster recovery. Like them or not, security regulations were beneficial. They forced organizations to pay increased attention to security. Fear of penalties or data exposure may have been the initial catalysts, but the continued attention was due more to the policies and procedures that were being established.

Many of the regulations required the appointment of an information security officer or someone with security oversight responsibilities. The type of person that should fill that role and where they should report to became a hotly debated topic. Organizations moved the information security officer around from IT to legal to compliance to risk to administrative services departments, and so on, or combined physical and systems security together.

The coveted (ISC)² Certified Information Systems Security Professional (CISSP) credential became a differentiator for recruiters looking for a defensible standard to screen applicants with, as only several thousand had been issued in the early 2000’s, compared to over 90,000 (ISC)² members today. The ISACA Certified Information Security Manager (CISM) was not available in 2003.

Between 2003 and 2008, most organizations understood that having someone in charge of information security was a necessary evil, especially in compliance-driven environments such as finance and healthcare. Keeping out of the newspapers began to be viewed as a cost of doing business. Security budgets increased during this period, although spending was approached more like an insurance policy rather than a strategic enabler. Companies became good at checking the security compliance box. GRC (governance, risk and compliance) became a new buzzword; however, due to the GRC costs, many companies still executed ‘security by Microsoft Excel’, mapping ISO 27001 controls to COBIT to NIST 800-53 to PCI, and so forth.

Consumerization is King

The years 2008 to 2013 saw a major shift in social interaction and the workplace. The consumerization of IT was brought on largely by the millennial generation, born 1981–1995, who brought their smartphones, tablets and other devices to work. They spurred the mobility and bring your own device (BYOD) phenomena, with non-standard devices and insecure applications now connecting to the company’s network.

Cost efficiencies and speed achieved by desktop and server virtualization, cloud computing applications, and off-shoring increased the need to review security from a business risk perspective versus an IT control perspective. Facebook grew substantially through this period, as did other social media sites such as Twitter, LinkedIn and Tumblr. Online backups and file transfer solutions had to be dealt with. Wireless internet became ubiquitous and expected.

This period was substantially different from the previous five years, because although regulations still demanded compliance, the security role truly became more about being an enabler. According to Bill Sieglein, founder and CEO of the CISO Executive Network, “The CISO of today has morphed into a person with stronger knowledge of the business and risk management.” He adds that as more IT functions move outside of the company, the “security executives have become more like lawyers and contract administrators than just an IT security guy.”

Soft Skills, Solid Results

The ‘CISO soft skills’ illustrated in the book CISO Leadership: Essential Principles for Success (Fitzgerald & Krause, 2008) and the concept that security needed to be deliberately established and communicated across every level of the organization, as expressed in Information Security Governance Simplified (Fitzgerald, 2012), were becoming critical job requirements for the modern CISO. Without these ‘soft skills’ – collaboration, influencing, written and oral communication, and ability to lead change – the efforts would not get the attention and traction required to promote security solutions that reduce business risk.

Marci McCarthy, CEO and president, T.E.N., further amplifies this change by noting, “I have witnessed the profession’s transformation and evolution of the CISO role from the unknown techie working in the back office to the CISO as the ‘go-to person and leader’ for boards, customers, management teams and other important stakeholders. This is a significant and powerful change.” Over 10,000 security executives and professionals have joined her Information Security Executive programs since inception in 2003.

Chasing the Threat

The threat environment is also increasing. In 2003, concers focused on viruses, while today’s threat conversations are about more insidious and saturating dangers, such as advance persistent threats, threat intelligence monitoring, malware, end-user phishing training, nation-state and organized crime sophistication, and the role Big Data will play.

Today’s CISO discussion is centered on the business’ vision, value creation, and risk management. Travis Hyde, whose company works with CISOs to become ISO27001-certified, says, “many CISO’s nowadays have a stronger understanding of aligning the business vision to the vision of their security program and are becoming better at selling security program[s].”

The CISO of 2013 and the future must embrace the fact that the real job of the CISO is to clearly articulate the risk to the business, provide options, and manage the residual risk. The data perimeter has moved beyond just the USB drive into the cloud, tablets, smartphones, automobiles, home automation, and even our future eyewear.

The people perimeter has moved as well, as many of us have the desire and require the ability to work wherever we are, and not necessarily in the office. Today’s CISO needs to be intimate with privacy laws and well-versed in security’s contribution to providing confidentiality of the information. The CISO should pretend for a moment that s/he knows nothing about technical security details and ask the questions: Where is the data, who would want it, how will it damage my business if lost or compromised, and how much will it cost to protect? Businesses face risks every day; security is just one. Business leaders today rightly expect CISOs to understand risk and lead their organization to spend just the right amount of money.

The future is bright for CISOs, considering this is still a very young field. In 2012, published its first ranking of “Top Security Executives”. Today’s CISO has access to many networking groups, roundtables, conferences and ways to share information that did not exist for this community 10 years ago. Ten years from now, the CISO may still be drinking his or her coffee black, and facilitating business risk discussions on data stored in technologies that have not been created yet, supported with a clear career path encompassing leadership, legal, privacy, marketing, and finance competencies.

Todd Fitzgerald is the global director of information security for Grant Thornton International. He is a member of the Lake County, Wisconsin, chapter of (ISC)² and the (ISC)² Journal editorial board. Fitzgerald co-authored both the (ISC)² book CISO Leadership Skills and the infosecurity and risk management chapter for the (ISC)² CISSP CBK.

What’s Hot on Infosecurity Magazine?