CHICAGO -- The CISO must learn to hand over the bits 'n bytes to system administrators and focus on big-picture projects. He or she also should recruit human resource personnel to help push policies and help security soak in at the workplace.
At the same time, argues Bank of Montreal Vice President and CISO Robert Garigue, top security managers must share more information to determine what's ahead for network threats and protections.
"We have to get away from this notion of being the hit man to being the guy who lets the sysadmins handle the tools and [instead] tells people what they don't already know," Garigue said during a speech entitled "It's the End of the CISO As We Know It (And I Feel Fine)" at Friday's Information Security Decisions conference.
Garigue told delegates that infosecurity officers must move toward being regarded as thought leaders and less like in-the-trenches technologists to gain more credibility with chief executives and to persuade boards to invest more in security.
"You just have to learn to let go," he told the audience of primarily security managers.
Moreover, the CISO can gain more cooperation from employees by working with HR departments to promote best practices and enforce security policies. It's the CISO's job to designate risk levels and then apply controls, he argued. But beyond metrics and evaluations must come actionable items that the HR department can help reinforce.
"These things don't happen fast," he warned, especially for larger organizations. "They take a long time, but a dialog has to be there. You have to engage them today."
Garigue manages security for Canada's oldest bank, which has $256 billion in assets, employs 34,000 and processes several million transactions per second. What CISOs should be doing, he argued, is looking to future needs as corporate network ecosystems continue migrating from a traditional infrastructure that protects network perimeters to an "infostructure" that guards individual applications and data assets within that system. "Think of the risks ahead because the ones we manage today are not the security issues of tomorrow."
To keep ahead of the curve, security officers must share what they see happening in their own environments, rather than continue operating in silos. "Sharing knowledge is one of the most important elements of our survivability rate. "