Boxes and technology will not save the CISO of the present and future, but people and processes will.
Speaking to IT Security Guru, Art Gilliland, global security lead at HP, said that while the role of the CISO is changing to more of a management position with more responsibilities, more cooperation with employees will help defend the business.
Gilliland said that problems are often solved by investment in technology, and often challenges are solved with another box “and a new requirement to do something”.
He said: “A different way to approach the problem is to think about how we are attacked as it has stages and most attackers are well-developed, and if we could build capabilities to add stages you can focus on the stages once the attacker is in your environment. What if they found other obstacles before they steal your data? There are some products to do this, but it is more about people and process
“A technology is a capability, but look at it in a way in which a bad guy breaks in, they get in with stolen credentials so it looks like a genuine entry. Access is granted but look at what they access with the applications, data and behaviour and to track users, look at behaviour and information flows. Products do not make us secure, people and process do.”
However this requires extra influence by the CISO with the company in not only securing budget for staff, but also with rolling out awareness schemes. Speaking at a recent event, Andrew Rose, principal analyst of the security and risk practice at Forrester Research, said that if you think of security as a business issue and not a technology issue, then the CISO has to talk business to the board.
Rose said: “The CISO has to strike a balance between talking technical and business, and be good at both. The problem is that most CISOs report into IT and will move out of IT and into support and some have fought hard to get the ‘chief’ title and don’t want to let it go.”
Mark Brown, director of the UK and Ireland information security practice at EY, said that the modern CISO is asked to be a business translator while showing the cost of up and downtime and be a market capitalist.
“This is what the CISO adds now, and talking with our clients there is complete dissatisfaction with what the security function is adding to the business, but the wake up call is now a broader discussion on information security as the business wants to know about risk and talk about policy,” he said.
“The change will be put upon as CISOs change their title, as ‘chief’ and ‘officer’ are business titles, so you need to stand up and be counted as a business leader, or get out.”
Gilliland said that the role of the CISO has changed and what has changed it is you look at the CISOs who are coming through the ranks, the knowledge is specific in security but for business, it is a confused one as to what makes the business and what are they doing and what makes them more efficient – often it is standards and compliance.
It is easier for us to ask for a budget increase, but if there is a low risk bar then you are always competing against an increase in efficiency and innovation. As CISOs not advanced enough? Executives are encouraged by ISO compliance, but a challenge is ticking the box not on capability of defending attacks. What they detect is low so effectiveness and if we were more effective and need to work to CIS
O needs to convince the business risk and need to build a capability to be able to distract the attacker and balance compliance and requirements to the business.