WASHINGTON, D.C. -- What's the biggest change for today's chief information security officers? These days, they're often in charge of keeping their bosses out of the slammer.
"Now ROI tends to mean risk of incarceration," said John O'Leary, educational director of the Computer Security Institute and moderator of a panel discussion about the changing role of the CISO at the CSI 32nd annual Computer Security Conference.
Panelist Bill Hancock, CSO of Savvis Communications Inc. in St. Louis, said more organizations are interested in having a CISO position because it's becoming more burdensome to comply with U.S. government regulations such as SOX and HIPAA.
Said Hancock, "Executives are saying to [CISOs], 'How do I keep from going to jail? How do I keep from getting fined?'"
However, an attendee from an Illinois-based manufacturing firm who declined to be identified said that in reality, compliance isn't as important to the day-to-day role of the CISO as some may believe.
"Compliance is a hammer to use to beat executives over the head with when you're not getting the cooperation you'd like," he said.
While managing compliance is a significant challenge in some cases, the attendee added, it's one of many important tasks that comes with the job.
Still, panelist Terri Curran, director of IT for Framingham, Mass.-based Bose Corp., said an increasing amount of her time is spent dealing with compliance, and she worries that CISOs will spent too much time on it and lose sight of security. "I don't know how to achieve that balance yet," Curran said, noting that CISOs shouldn't ever lose sight of compliance or security.
Adding to the complexity of the issue is the ongoing debate regarding what the CISO should and shouldn't be responsible for. Panelist Jennifer Bayuk, CISO for New York-based Bear, Stearns & Co., said the most any CISO can do is work to prevent unauthorized access to sensitive data.
"If someone with authorized access walks out with sensitive data," Bayuk asked, "what can you do?"
Yet the panelists agreed that CISOs are commonly being asked to take responsibility for any security-related issue in an organization.
"I see many things falling under the CISO umbrella, if we're willing to take them on," said panelist Jack Jones, CISO with Nationwide Investment Services Corp. in Columbus, Ohio.
The speakers noted that the CISO if often asked to assume responsibility for physical security, as it becomes more intertwined with information security; product security, such as ensuring safe transportation of goods and tracking them throughout their journey; and duties that are assumed by the chief privacy officer and chief risk officer in larger enterprises.
Hancock said while working for Exodus immediately following the company's merger with Cable & Wireless, he assumed responsibility for security throughout the organization, which meant many problems landed in his lap.
"I had people from Bermuda calling me up and screaming about security problems," Hancock said, "and I had no idea what they were talking about."
The panelists also discussed whether the CISO should be a part of the IT command structure or more closely aligned with the CFO or other executives removed from the tech trenches.
It's a complicated issue, Jones said, because the CISO if often charged with bridging the gap between executives, who are essentially risk managers, and security pros, who mitigate risk.
"[Executives] see our world as something weird and mysterious," Jones said. "As long as we have this misalignment in terminology, I think we'll be really challenged."
Bayuk said CISOs should focus on providing executives with input in a structured way, rather than trying to decide what is and isn't a business risk.
To that end, is the CISO job a stepping stone to eventually becoming CEO? The panelists agreed that the two roles are very different, though there are some shared management components.
Still, Bayuk said that in a financial company, for instance, a CISO might have luck moving up through the controller's office.
"If you work on fraud and can get your MBA, you can learn all about how a company really works," she said. "From there, you can become CFO and then CEO."