The future role of the chief information security officer (CISO) was discussed in a lively debate at Infosec Europe 2012 this week, as industry experts and delegates considered the rising role of the CISO.
Chaired by analyst Quocirca’s Bob Tarzey, the discussion panel included: Phil Cracknell, head of global security and compliance and director of infrastructure at Yell Group; and Peter Gibbons, head of information security at Network Rail.
The panel kicked off by describing the CISO as someone who usually reports to the chief information officer (CIO), who in turn reports to the chief finance officer. The term CISO may not always be used, but according to the panel the function remains the same.
The panel questioned: The role of the modern CISO is evolving, so what does the new breed of CISO look like? In short, a corporate-savvy individual who can communicate the return on investment (ROI) to the board, while establishing security in the overall risk portfolio and garnering stakeholder engagement across the business.
Network Rail’s Gibbons said the CISO role is less about security and more about risk nowadays.
Should there be a place for the CISO on the Board?
During the keynote a member of the audience asked if there should be a place for the CISO on the board, as currently the role does not have a seat in the boardroom: “And rightly so,” according to Gibbons. “The board reports to the shareholders; but security doesn't – it reports to the company,” he added.
Cracknell agreed, but stressed that the CISO should at least be represented on the board: "Whether that's through legal or finance will depend on the nature of the business. This might be different where security is fundamental and core to the business itself though, such as banks.”
Where to now? Is the CISO a dead-end role?
The audience wanted to know where the CISO can move next, if they are at the top of their career tree. Gibbons suggested furthering your career through risk management and ultimately on to board level in possibly insurance or company secretary roles.
“Or you could move across to a chief risk officer or possibly operations officer. Here you can see how the business works as a whole,” he said.
Cracknell stressed how he is happy where he is, but wants to escalate the position of the CISO within his company: “The role has not finished fleshing itself out yet, but my role now is very different to what it was when I started as a CISO.
"The role will continue to unfold as more legislation hits and businesses become more regulated. You can either stay at the top of the tree as a CISO or possibly aspire to run your own business.”
Cracknell said many CISOs move to a role related to risk as it is not a major shift to make: “It’s still managing the protection of data, but just a different aspect.
"Becoming a chief risk officer from a CISO is more of a sideways step, whereas moving to something like a CIO would be more of a shift upwards rather than sideways.”