This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
For the last few years, we've heard CISOs need to improve their business skills. But many of today's security managers are lacking another critical discipline: risk management. As compliance initiatives become more ingrained in our business culture, and security is playing a role in most IT disciplines, there is a need for an internal "trusted adviser" who is able to translate the nuances of IT initiatives into real risk metrics. For example, security controls have traditionally been knee-jerk purchases or based solely on technical opinions and interest. Security management needs a more viable rationale for secu- rity design and implementation, as well as a more consistent framework for influencing business decisions and explaining why security is integral to business strategy.
A good friend who is a CISO explains the situation well. In his view, a CISO should really be called a CRO--chief risk officer--or report to one, and a major element of the position should be policy management--establishing guidelines and policies that adequately capture the organization's risk tolerance, and then working with operational management to ensure the policies are adhered to. The security profession talks a lot about policy these days, but we tend to omit that critical detailed risk analysis factor. Unless today's CISOs learn this important discipline and become adept at articulating
| it to senior management, the role of a CISO as we know it may very well become extinct.
This was first published in November 2007