For early CISO's, defining their role was pretty much a greenfield operation; there was very limited knowledge or expertise in the security profession. While some folks opted to try to get attention through fear, uncertainty and doubt, or "FUD," many folks took a more measured approach, looking at risk and business impact. Needless to say, the companies that were early adopters of the security function have been in a much better position to deal with the onslaught of technology change, continuing threats and vulnerabilities.
In the past decade, many companies both large and small have adopted either the role of CISO or some other type of chief security officer role. Unfortunately, what we've seen in the evolution of the CISO role maturity model is a position becoming more and more under attack -- and when I say attack, I don't mean attack from external forces but from internal forces in the person's own company.
To begin with, there has not been a cookbook for companies to establish the CISO position. In far too many cases the security officer who is given responsibility for security and protecting the corporation is not given the necessary resources, authority, and access to senior management or the board to fulfill their objectives and obligations.
As a result you have a situation where the role of CISO in many companies is in name only, without the resources or organizational stature to accomplish the mission. An easy test to see where your company lies on the maturity model is to answer some simple questions.
- Does the chief information security officer provide an annual update to the board of directors?
- Does the CISO meet on a regular basis with the CEO and/or COO?
- How does the board or CEO delegate the authority with regard to taking on risk? Is it formalized?
- How does the board or CEO determine the information security risk tolerance for the organization? How is this documented and communicated?
- How is the chief information security officer's role in the organization established to provide them with a level of autonomy?
- Does the chief information security officer feel that he or she is in a position to provide unfiltered information about the security posture to the CEO and/or the board?
- Does the chief information security officer have a governance role or an operational role or both?
While not a complete list, these questions provide some thought-provoking ideas for determining the maturity model of your information security program. What are some of the things that we should be looking at when assessing the maturity of our company's security program? A couple of the fundamental principles mentioned earlier revolve around risk assumption, risk delegation and unfiltered information to the CEO and the board. These critical elements embed something that I call organizational courage. Does the CISO have both the organizational and positional power to escalate issues that they feel strongly about to the appropriate CEO or board position for review without the threat that they will be attacked for impeding the business?
In essence, many people have the CISO title but not the delegated authority to make the critical security risk calls. Another disturbing trend is that chief information security roles seem to be changing to a governance role. This trend, in many instances, is eroding the role of CISO, not enhancing it, because CISOs are viewed as influencers and may not have a risk decision role.
Another factor eroding the CISO's role or authority is the change in reporting relationships. If you look at the most recent PwC annual report on security, you will see that over the last three years there's been a significant movement in reporting relationships from CIOs to other parts of the organization. The disturbing part of this trend is that the chief information security officer has a much greater ability to influence the IT organization by being part of it. While it's important for the CISO to have interaction and a broad view of the entire company, I estimate 70% of information security issues will be decided and controlled by the technology area. By not reporting to the CIO, the chief security role is viewed in many organizations as outside of IT and thus may not have the opportunity or the organizational power to influence events, not even at the strategic and technology planning phases.
The security officer who is given responsibility for security and protecting the corporation is not given the necessary resources, authority and access to senior management.
Another important control feature of reporting to the CIO is that the CISO must have an escalation path if there is a disagreement with the CIO, where the CISO has the positional power to escalate disagreements to the appropriate CEO or board position for review consistent with risk assumption guidelines. Another dynamic inherent in a governance structure is that the organization that controls the budget dollars controls the project. Making the security role solely a governance role and taking away both operational responsibility and budget creates a security organization that is significantly hampered in its ability to influence the organization.
Probably the last and most disturbing trend I've seen over the last five to seven years is the fact that many internal organizations have started to do what I'll call a "land grab." The chief information security person has been under attack from a number of internal areas within the organization that attempt to seize areas of responsibilities that are generally viewed as in the security domain. Those organizations include privacy, compliance, audit, application development, computer/network operations, and architecture organizations. Oftentimes it is not with the best interests of the corporation but in the best interests of these internal units. How often have you heard an application development person or IT operations person talk about how they are negatively affected by security rules or tools that prohibit them from doing their job? Most of this is just noise; nonetheless, threats to security and the CISO since security is not viewed as a business enabler by other areas of IT, which are always minimizing the threats and issues.
Today, many CISOs have decided the best approach is to misguidedly hide behind the mantra of "it is the business risk call." As long as they have raised the risk to the business, they have done their job. A much better approach is to have a formalized risk assumption model that states who the board has empowered to assume risk. So how many companies have had a risk tolerance discussion with the board or CEO? Without these fundamental building blocks, CISOs are probably making the wrong decision.
This brings us to the last and most distressing aspect, which is a shortfall of something that I call "organizational courage." This is the courage required to face those defining moments that determine whether you have a functioning security program doing the right thing for the corporation or whether you have a security program in name only, with little impact or organizational role recognition. Few security people have the organizational courage to stand up and state what is correct and do it in a way that influences the organization. At a time when threats and the stakes have never been higher, we need to re-examine the security role. Namely, does the CISO have the organizational power and courage to effectively challenge business risk decisions that are not good for the company?
Today, technology continues to increase in complexity and risk as security lags innovation. We need a strengthened CISO who has been given tools and resources consummate with his or her responsibilities. A number of companies are meeting the challenge head on and establishing mature security programs with the charter, visibility, organizational clout and interaction with the CEO and board of directors to make sure there's alignment. Unfortunately, these companies are the exception rather than the rule.
About the author:
Craig Shumard served for 11 years as CISO at CIGNA and is presently an adviser to Tenable Network Security Inc.
This was first published in July 2013