It was fun to be in the dock as one of the defendants in the mock trial of A N Corporate at Infosec last week. I acted the role of the hapless and rather impotent CISO working for an overbearing CIO. There was a serious point to the exercise though – those barristers were playing for real and the legal terminology was all correct. The sentences handed out to the CIO and CEO, who were found guilty under section 450 of the companies act of destroying documents, reflected what would have happened in real life.
It shouldn’t come as a surprise that there might be confusion as to role of the CISO. It’s a role that has quickly evolved from being technical and focused on IT, to one that’s strategic and focused on mitigating business risks across the full scope of Information Security.
My own role encompasses all aspects of managing risks to data and is, I’m pleased to report, far more respected than the part I played at the mock trial. But I’ve often had to push hard to put security on the agenda and I think some of the more traditionaly minded individuals in the organisation were taken aback by some of what I was putting on the table as being within scope of my responsibility when I first took on the role.
The role of CISO is evolving and in fact, I think within a few years from now it’ll probably no longer exist at all. Large organisations are going to require individuals whose role focuses on managing risk and compliance. The traditional view of the CISO as being a technical IT security specialist is going to very soon be as outdated as those who still hold that view!