Tommi - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

CISO job description: Business function more than IT

The executive-level security position is always up for debate. Is it a technical role, or is it moving out of the IT department to influence broader security and risk management initiatives?

This article can also be found in the Premium Editorial Download: Information Security magazine: Dedicated CISO job still open to debate:

The head of information security is a role that differs from company to company. Some organizations assign the job title in name only. Others view the CISO job description as primarily a technical role. Large enterprises look for a seasoned executive who can lead the information security program (read: build one that works) and implement cybersecurity policies tailored to business strategy.

"Ten years ago, we were buried in the infrastructure team, and we were known as the 'security guy or gal,'" says Scott Howitt, senior vice president and CISO at MGM Resorts International, who is profiled in this issue. In Howitt's view, the CISO role has been elevated, in some cases, to an executive level on par with the CIO.

At Fortune 500 companies, the CISO job description is less about technology proficiency and more about information security -- intellectual property and data protection, risk management, forensics and investigation, business continuity and disaster planning, regulatory compliance, data privacy issues -- and strategic security initiatives. Building a threat intelligence capability and communicating risk to non-security executives, especially ownership of risk in the cloud -- as Dave Shackleford explains in his column -- are two areas that will receive increased scrutiny in 2017.

"Cybersecurity is not really a technical venture," says Larry Larsen, CISO of the Apple Federal Credit Union. "It is a behavioral venture in a technical environment, and that is where the counterintelligence approach comes in," he tells Jaikumar Vijayan, who reports on cyberthreat intelligence programs for this issue.  

Should the CISO influence the IT organization or be part of it? This is an ongoing debate. The first CISO was brought in to perform a business function -- not IT -- in the mid-'90s. Steve Katz was hired at Citicorp -- before the blockbuster merger with Travelers Group in 1998, which created Citigroup -- after the banking giant was breached. Citicorp executives realized that they needed an executive-level security function to protect their financial services business. Yet companies today do not allocate resources for a dedicated security officer, and the CISO job description is still unclear to many business executives. Funding is an ongoing issue as well because the position does not generate revenue.

Building a threat intelligence capability and communicating risk to non-security executives, especially ownership of risk in the cloud, are two areas that will receive increased scrutiny in 2017.

Is the organization safer with a CISO? That's the bottom line.

The Obama administration appears to have come to that conclusion -- after the Office of Personnel Management breach -- with the September hiring of the first Federal CISO, retired Brigadier General Gregory J. Touhill, a move pledged in Cybersecurity National Action Plan. (Will this be a CISO position in name only, as some have suggested?) As Touhill works to implement cybersecurity policies and best practices across agencies, he will have help in the form of Acting Deputy CISO Grant Schneider, the former CIO at the Defense Intelligence Agency and, most recently, director of cybersecurity policy for the National Security Council.

This CISO job description is not going to get easier. Rapidly changing infrastructure, untethered devices and the internet have ushered in vulnerabilities and threats that have increased the challenges of securing data and information systems. The CISO job description continues to demand technology knowledge, business acumen and cybersecurity skills. In this special CISO edition of Information Security magazine, we talk with chief information security officers from different industries -- entertainment, financial services, healthcare, retail and technology -- about the evolution of the CISO position and some challenges ahead.

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.

Next Steps

Do companies want business or technology skills for CISO role?

Why the CISO job is getting too broad

Requirements to consider when hiring a CISO

This was last published in December 2016

Dig Deeper on Information security certifications, training and jobs

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Should CISOs be part of the IT organization or just influence it?
Cancel
To be honest, a large proportion of roles that used to sit in a department named "IT", don't need to anymore. The whole Digital Transformation, and the Business Service Management shifts that we've seen over the last 15 years has been moving technology out of a "back-office" specialist activity, and making it much more visible and directly interacted with by the end customers. Technology is real-time business critical, and directly impacts/supports all internal staff and external customers - that's really what the term "digital" is referring to now. Senior IT people have mostly realised that they don't create IT strategies and policies any more, they create business strategies which including using technology to support the organisation and customers achieve their required outcomes. Information Security was always wider than the technology, otherwise it would have been called IT Security. Yes, we use technology to do lots of it, but it's also about physical security and protecting the information in all cases - not just when it happens to sit on some technology.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close