We recently ran some articles based on interviews with the new board members of (ISC)2, where one of the discussion points was the redefinition of the role of chief information security officer (CISO).
In the first article, it was acknowledged by the new chair Wim Remes and new secretary Dave Lewis that there is a danger that the CISO could be out of touch, or unable to fit in the skills that sit at the ends of the security spectrum.
In the second article, Lewis said that the CISO position is the typical “swim lane” for security professionals and it is “a very difficult position to have and a very central position”. He said: “Realistically what I would love to see is that position no longer needed in the future as security is welded into every position in an organisation.”
So is the future of the CISO really under threat, can they even exist in a future guise? I asked some of those had done and were doing the job, and where they saw the changes happening. Mark Brown, formerly CISO of SAB Miller and now director of information security at EY, said that he felt that the industry “has a lot of growing up still to be done”.
He said: “The CISO role has expanded and become much less about technical bits and bytes, and much more about strategy and big-picture thinking. The CISO is now required to play their part alongside C-suite colleagues helping to decide how the organisation does business. Improve loss prevention and you will have demonstrably helped the CFO and COO. Improve investigation and incident management processes and you are assisting human resources, legal, auditing, and so on.”
CISO Amar Singh, who is also head of the UK chapter of ISACA, said that the CISO role has mostly been and probably remains the role of the unsung hero, or someone “who is expected to be the techie guru and the executive who, only when circumstances demand, is able to stand in front of the CEO or the board and explain the reason for his/her organisation’s breach”.
He talked up the concept of a “hybrid CISO”, who can be communicative and articulate in business-speak, is technically competent, politically astute and comfortable with both management and technical skills.
He said: “Having been in this and similar roles and met several peers, part of the problem may be something really simple. It may be that ‘information security’ lends a technical context to the CISO title, thus leaving the CISO languishing in the IT realm. Sadly, IT folks themselves are not too fond of the inquisitive, meddling multi jacketed jack of all aces and the result? A homeless executive who, in many cases, ends up struggling to find a permanent home.
“A simple tweak may end up making a big change. Taking Information Security out of the CISO and replacing it with Risk (as in CRO) or Privacy (as in CPO) may award the title the relevance and the significance it deserves. Alternative titles to consider could include Chief Information Governance Officer. Now there will be those of the opinion that say ‘What’s in a title?’
“Although I am not much of a stickler for titles myself, I do sometimes counter that argument by asking the relevance of the CEO or CIO title? In my opinion, it is a business imperative to accurately describe the responsibilities of the CISO role and if that requires a sensible title change, so be it.”
John Theobald, CISO of NTT Com Secure, said that the reason that the CISO interests so many people is because no-one really knows what it involves. “You know what the CFO does, but the CISO in every company is different. You can try to do too much and things are thrown at you that half the time you can’t deal with and the success is dealing with it,” he said.
He said it has become more of an operational risk role and it doesn’t matter what risk it is, the CISO will manage the risk regardless.
Remes said that he saw the CISO turning into a risk professional than a technical person, and Theobald said that a CISO will take a view of the whole business from a risk point of view, but often a CISO is selected when things have gone wrong and someone is selected either internally, or from a consultancy to manage and navigate the way out.
Recent research by 451 Group found that 53 per cent of security teams employ ten or fewer full time information security professionals, while in the 42 per cent of organisations where security is a separate division, 65 per cent of those divisions reported up to the head of information technology, typically a CIO. Theobald said that in his previous role he had 60 people, now he has 6-7 and he is working with companies who have around 15 people. “But the role changes too – some call it CISO, some CSO, some head of IT security. It is a changing role.”
Stephen Bonner, formerly managing director of Barclays Information Risk Management and now a partner at KPMG, said that this is a changing world and a competitive environment, and people in senior management are not going to understand security. “It’s not going to be like understanding accounting or law, they don’t have to be professional at it necessarily, but those who don’t understand it and don’t get it and don’t manage risk – there’s a maturity about thinking about it,” he said.
“There are plenty of people for whom CISO was the destination and plenty are very happy there, but many CISOs I know have started having their remit expanded to take on other parts. They help run supply management, business continuity, physical security and other risks to become a risk professional. The roles are growing because the skills are so relevant to other disciplines.”
I asked Brown if the CISO is truly dead, or being regenerated? He said that he saw a new breed of CISO, someone who is comfortable in the confluence of business and technical skills.
“Through achieving this confluence of skills, as an industry we may be able to finally sell the benefits of what we do to our boards. Furthermore, through our understanding of risk management rather than policy based compliance, the CISO could actually transcend further, to be recognised as a true business strategic leader of the future, operating extensively outside the traditional comfort zone of IT,” he said.
Brown called this a vision, and if we are unable to meet the challenge, we may lose the ‘C’ title and be relegated back to the position of IT security manager.
“My personal view is that the CISO will probably struggle to move all the way to the top job. Instead, I see the opportunity for the CISO to transition into a CRO or COO role more appropriate to their skill set.”
The word risk is more and more prominent as I talk to CISOs and security professionals, and it seems that doing the risk assessment is less something said, and more done. Is it done? Will the CRO rise? Or will it be another job for the CISO? As we try to define the role of the CISO, perhaps we need to consider risk assessor into that list of tasks and skills.