Information Security the next generation

Outward facing

The first attribute that a Next Gen CISO needs is to be outward looking. It helps of course to be acutely aware of the challenges faced by other organisations and changes in the market landscape. However, the outward looking CISO needs to be much more than that. They need to be able to engage with, and understand, their organisation’s customers. This should involve working alongside the sales force and channel partners. Why? To understand and appreciate the commercial challenges of any organisational security issue it really helps to see the impact it has on customers.

Risk in context

This outward perspective assists with another attribute for the Next Gen CISO, awareness of the business reward/risk spectrum. Good CISOs will already understand the risks being faced by their organisation and be aware of their vulnerabilities. But it is rarely their responsibility to decide if those risks are worth accepting, depending on the consequential impact on the business. Nor is this a decision for those who do have the business responsibility to take, without being fully aware of the facts.

The Next Gen CISO should be able to present the risks and consequences of different actions (or inaction) in the context of the consequences they will have on the business. It is no good simply presenting information about speed of patching, number of phishing attacks or level of malware exposure. These may be relevant performance indicators within the security function, but mean little in the context of the business overall. Neither should CISOs hide or diminish the risks being faced. The important thing is to make clear and transparent the impacts that different security issues will have on specific aspects of the business. This is about putting security and risk into a clear and understandable business context.

Employee engagement

As well as reaching out to customers and fellow C-level staff, the Next Gen CISO needs to be able to engage with employees from across the organisation. Security is not a pinpoint issue that affects only certain individuals or business processes. All roles have some element of security and risk for which they have to accept some responsibility. It might have seemed fine at one time to focus this in the hands of one individual, but that is too onerous. The risk then is the default reaction is that individual would be overly defensive and too often say “no”.

The Next Gen CISO needs to be able to understand business progresses and empathise with the challenges faced by those that undertake them. This helps spread involvement and understanding of the importance of security and what everyone needs to do, to the widest possible audience. By reaching out and engaging with fellow employees, the Next Gen CISO is also extending their threat intelligence and impact assessment information network.

Embedding understanding

Building understanding and changing behaviour towards security across the organisation then becomes a realistic goal. But this is rarely accomplished with tick box assessments or tedious training courses. Computer based training can play a part in building awareness, but risks downplaying the importance of specific security threats. A Next Gen CISO will enthuse and engage using more pervasive training models. These will include simulation and live role play to ensure the security message hits home and remains embedded in the organisational culture.

Conclusion

The CISO role may be built around information and security. But it is delivered through a passion for protection that aligns and fits closely to the needs of the business. The Next Gen CISO needs hybrid attributes to which many management roles should aspire. That and an ability to assess the value of technical aspects, with a realisation that success will depend on human ones.