| Being a figurehead in operations isn't enough; CISOs need risk management know-how.
Most CISOs I have run across are trying to build and maintain empires with hands-on operational employees, such as firewall administrators, intrusion detection specialists and forensic analysts. In most IT organizations, however, there already are well-established operations teams that cover network infrastructure, server and desktop administration, application development and maintenance, and other areas. As security has evolved from a niche discipline into something every IT professional should be aware of, it makes more sense to take a strategic approach by migrating similar operational functions into well-established groups that overlap with security. Trying to win the headcount war is a losing battle for security managers.
Even in larger organizations with big security staffs, many CISOs have very little political power. Research indicates this problem stems from a poorly defined role for information security management. Last year, Gartner released a study on the top five issues for CISOs; chief among them is the matter of whom CISOs report to, and who in turn reports to them. Most organizations place the CISO in the IT hierarchy. This invariably leads to the CISO being another operational player, with the same strategy for acquiring budget, headcount and attention from executive management.
Over time, information security operations will migrate to other areas of IT. Network intrusion detection and firewall management will move to network operations, server hardening and file integrity monitoring will fall under systems administration, and application security will be the responsibility of development teams. Where does this leave CISOs and other security managers? How can CISOs become real strategic players and not just security figureheads within IT operations?
| For the last few years, we've heard CISOs need to improve their business skills. But many of today's security managers are lacking another critical discipline: risk management. As compliance initiatives become more ingrained in our business culture, and security is playing a role in most IT disciplines, there is a need for an internal "trusted adviser" who is able to translate the nuances of IT initiatives into real risk metrics. For example, security controls have traditionally been knee-jerk purchases or based solely on technical opinions and interest. Security management needs a more viable rationale for secu- rity design and implementation, as well as a more consistent framework for influencing business decisions and explaining why security is integral to business strategy.
A good friend who is a CISO explains the situation well. In his view, a CISO should really be called a CRO--chief risk officer--or report to one, and a major element of the position should be policy management--establishing guidelines and policies that adequately capture the organization's risk tolerance, and then working with operational management to ensure the policies are adhered to. The security profession talks a lot about policy these days, but we tend to omit that critical detailed risk analysis factor. Unless today's CISOs learn this important discipline and become adept at articulating it to senior management, the role of a CISO as we know it may very well become extinct.