But the first point was that 'CISO' is a title not always used. It describes the head of information security; someone who normally reports to the chief information officer (who may or may not be on the Board), who in turn may report to the chief finance officer (who is certainly on the Board). Precise names may differ between companies; but the function is always the same.
One thing the CISO doesn't normally do is sit on the board itself. "And rightly so," said Network Rail's Gibbons. "The board reports to the shareholders; but security doesn't – it reports to the company." Yell's Cracknell agreed, but stressed the need for close representation on the board. "Whether that's through legal or finance will depend on the nature of the business. Only where security is fundamental and core to the business itself, such as banks, may this be different."
Both agreed that CISO and CSO are very different roles. For Network Rail, the chief security officer is involved with things like anti-terrorism, which is very different to protecting data. "The CSO tends to look after physical security," agreed Cracknell. "It may be starting to converge in areas such as facilities management and physical access to buildings, but it's still separate to the role of CISO."
One area that might surprise the information security pundits is that both of these CISOs have a negative attitude towards user education as a means of improving security. "It's a difficult one," said Gibbons. "The main purpose of 'education' is to get user buy-in; and I don't think 'education' is either the right word or the right method to get this."
"Gone are the days when we could say, 'thou shalt not do this...'" agreed Cracknell. "We're all grown up now." Awareness is different. "I definitely believe in promoting user awareness," he said. "The way we do that is through humor - a series of videos that are a cross between The Office and Comedy Central and designed to spread virally through the company. If someone says, 'Here, you've got to see what this guy says about passwords!' then it's a success."
But then the ultimate question: where next for the CISO, or is it already the top of the tree? Gibbons believes there is a further career path, perhaps through risk management and ultimately to board level in insurance or company secretary roles. Cracknell, however, is happy where he is – although stressing that he seeks to escalate the role of CISO within the company. His view reflects that of many security people: there is a buzz, an intellectual excitement, inherent in information security.
| See Infosecurity magazine interview Bob Tarzey outside the keynote theater at Infosecurity Europe 2012 |