How the role of CISO must evolve to balance risk and business

Business success depends on balancing the demands of cyber threats and compliance with innovation and growth, but how should the CISO role be evolving to meet business needs?

Business success increasingly depends on the ability to balance the demands of cyber threats and regulatory compliance with innovation and growth, making whoever is in charge of information security a key player – but how should this role be evolving to meet business needs?

The emerging consensus is that it is no longer enough for the person charged with responsibility for information security – whether they are a chief information security officer (CISO), chief information officer (CIO) or a member of the IT team – to simply manage security controls.

New skills for the CISO

In the not so distant past, successful CISOs or their equivalent in smaller organisations merely had to define technical standards and security policies, validate security controls to the regulators and assure customers their personal data was protected.

Since 2008, however, there has been a growing demand for a new set of skills, according to Neira Jones, head of payment security at Barclaycard.

In general, these skills include the ability to communicate with the board and managers in various parts of the business; to run security as a business; to eliminate redundant controls; and to work with the business to enable innovation and growth.

More specifically, the CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator, says Jones.

Communication is a key area of evolution, where CISOs need to find the right language to secure investment. Instead of using technical terms, CISOs need to express challenges and solutions in terms the business will understand, says Jones, for example such as the financial cost of server downtime.

CISOs must manage risk

Risk is another key area of evolution. The CISO must move from being a technical risk expert who focuses on the risk of loss, to include risk as a more central part of the role by understanding business priorities while continuing to maintain the corporate moral fibre.

This involves taking risks to meet business objectives, but this can only be done successfully with a thorough understanding of the risk appetite of the business involved, says Jones.

This can be especially useful in the face of increased demand for consumer-style devices in the corporate environment. If a board member wants to use a personal iPad to access business applications, instead of saying “no”, CISOs should educate the board member about the associated risks and have that person sign a document that says they understand and accept those risks.

But understanding the appetite for risk, managing IT provision accordingly and educating the business about emerging threats that may increase risk in any given area, is only part of the new approach required to risk, says Bob Tarzey, analyst and director at Quocirca.

An equally important component of this, he says, is the CISO’s ability to identify where the business is missing opportunities – either by being too risk-averse or through worrying too much about risks that were a real threat once, but can now be mitigated with relative ease.

With these kinds of skills and key approaches, says Jones, the CISO can establish undeniable credibility in business and the information security world, enable competitive business activities and strengthen relationships with the heads of privacy, risk, audit, human resources, legal and everyone else with a vested interest in the business.

The CISO in transition

To what extent have existing CISOs or their equivalents made the transition?

In the absence of any hard research, Tarzey says he suspects too few have made the move from controllers to enablers – but make the transition they must, says Jones, one step at a time, starting with the basics.

For example, in March 2011, SQL injection attacks were officially ten years old, yet 97% of successful data breaches could still be traced back to this form of attack. “This is unacceptable,” says Jones.

CISOs should start by looking at: 

  • How employees are able to take information out of the organisation; 
  • If access to information is limited to only those who need it; 
  • What type of attackers would be interested in a particular organisation’s data; 
  • What data they are likely to target; and 
  • What the business impact of a data breach would be.

CISOs also need to consider: how difficult would it be for an attacker to move from a compromised web server to sensitive data and take copies of that data; how quickly would the organisation be alerted to a data breach and be able to stop it; and if there is a regularly tested incident response plan in place.

Understanding the risk is essential, says Jones. If a CISO makes risk management the objective, compliance will follow naturally. “Don’t spend £100 protecting a £1 asset. Know your risk, select the right partners, fix the basics and be prepared,” she says.

Equally important is to avoid quick fixes and working in silos. Next, automate as much as possible. “Compliance risk management cannot be done on a spreadsheet,” says Jones. “Finally, educate, educate, educate.”

The CISO role has been around for less than 10 years, says Tarzey. “Many have grown in to the role, but now that it is seen as a career, more and more people are preparing for the role with training and on-the-job experience,” he says.

For this reason, the individuals moving into the CISO role over the next 10 years will be better prepared for the job than their predecessors.

Read more on Business continuity planning