FotolEdhar - Fotolia
The chief information security officer (CISO) role is gaining recognition through notoriety. The limelight, once again, follows a string of high-profile data breaches at major corporations, drawing scrutiny of the inner workings of victims' information security programs.
Many commercial enterprises still fail to update their security programs and appoint centralized management. Remember the compromise of RSA's SecureID two-factor authentication in 2011 and LinkedIn's stolen passwords in 2012? Neither organization had a dedicated CISO. Both companies have since filled the position.
Fast forward to this past year: Several household names that suffered high-profile data compromises -- Target and JPMorgan Chase among the Fortune 500 -- didn't have a CISO role, or even full-time leadership dedicated to management of their security and risk programs. Consumers are not happy, and neither are regulators, banks, credit card lenders or supply chains.
With the lure of higher salaries and complex challenges, the role of CISO offers opportunity for individuals with high stress thresholds who can develop security and risk management programs, bridge the gap between executives and engineers, and navigate the murky details of technology controls and compliance frameworks. The climb up the ladder to CISO often starts in computer science, military and intelligence or law enforcement. The role is still evolving, however and, according to many in the field, remains largely undefined.
Target, which has suffered hundreds of millions in losses since its 2013 breach over the holiday period, recently hired its first CISO, Brad Maiorino. The former CISO and chief risk officer of General Motors told The New York Times in July, "Right now, we have an opportunity to define what a CISO is, who we should report to, and it's an exciting time to be in the role."
Early on, the CISO role was more or less that of a senior administrator -- someone working in the back office on systems and basically configuring firewalls. "There wasn't a real C-level or an executive-level role at that point," said Bruce Brody, chief cybersecurity strategist at Cubic Corp., who has weathered a 15-year CISO career at the Department of Veterans Affairs, the Department of Energy and defense contractor DRS Technologies.
Bruce Brodychief cybersecurity strategist, Cubic Corp.
That's changing. As the security and privacy areas skyrocket, the CISO role now spans across IT, compliance, business continuity, personnel and facilities, which makes it challenging to decide where to place it, organizationally, within commercial enterprises. "The foot into different parts of the organization has given the CISO a seat at the table when it comes to leadership," said Brody.
Some companies have renewed their focus on cybersecurity and are devoting more resources to the CISO role in response to the evolving threat landscape. "To be better prepared, our clients are elevating the CISO role to a true executive-level position, versus a director-level position reporting to a C-level executive, and increasing their budgets, anticipating increased headcounts and technology investments," said Cindy Miseli, senior recruiter with Alta Associates, a boutique recruitment firm in Flemington, N. J.
Alta Associates is a 25-year executive search firm with a longtime practice in IT risk management and security. According to Miseli, CISOs are now expected to hire more specialized direct reports with deeper technical skills in areas such as IT forensics, incident response, security operations and containment and IT risk management. At the same time, security officers are being given an opportunity to participate in corporate initiatives outside of traditional information security programs, such as mergers and acquisitions and product strategy.
"We are witnessing our clients' shift toward seeking candidates who are not only accomplished technology practitioners; but strategic, business-enabling leaders who can attract, develop and retain top talent that will protect the company's brand and assets," she said. "This key factor, along with the size and scope of their organization is what drives compensation packages by as much as a $300 to $500k differential."
CISOs base annual compensation
|U.S. Dollars||Percentage of CISOs|
N=133 CISOs, 2013 Salary Benchmark Report, Ponemon Institute
In name only
The CISO role is typically found in enterprises with 1,000 or more employees, but market researcher Gartner has recommended that organizations with 150 employees consider hiring a dedicated CISO function. In a 2012 report, "The Business Case for the Chief Information Security Officer," analyst Paul E. Proctor wrote that entities without a dedicated CISO function ranged from companies with an "ignorance is bliss security model" to those that have excellent security controls and, therefore, don't see the need for central security leadership. Other companies fill the CISO role in name only, assigning security to legal counsel or IT, who do not have time for the role, according to Proctor.
It's a phenomenon that happens across government and commercial enterprises, agrees Brody. "Most organizations have been hit or attacked by some malware or some persistent threat -- something bad has happened to their infrastructure," he said. "Just being able to say that they have a CISO checks a box and allows them to tell their board and their investors, 'Oh yeah, we have a chief information security officer.' At least, they took measures to put one in place, and they devoted resources to that person in terms of compensation. Unfortunately, that does not solve any problems."
Despite the increasing responsibilities and higher profile, the CISO function at many companies is still technology- and enforcement-driven, with limited time spent on strategy and policy development. The Ponemon Institute analyzed data from 133 CISOs as part of a larger salary survey in 2013. When CISOs were asked to rank how they spend their time on a 100-point scale, monitoring and audit scored highest (24), followed by policy enhancement (16), incident management (12), business continuity management (11), risk assessment (10) and on the down the list. Both planning (5) and procurement (4) had relatively low scores. Policy development (2), strategy setting (1) and corporate communications (1) received the lowest rankings, according to those surveyed.
This finding goes directly to the common beliefs about the CISO's role in strategy setting and policy development, said Larry Ponemon, founder and president of the research firm, when he presented the initial findings. "It appears again that CISOs -- this may not be a myth -- are really more tactical; that's not a surprise," he said.
Ponemon research also found that security officers' dotted-line relationships in companies with more than 1,000 employees were with IT operations (78%), data center management (55%), corporate compliance (39%), business continuity management (36%), privacy officer(28%) and enterprise risk management(16%), with human resources and corporate finance at the bottom of the list.
The qualifications of those surveyed also varied: 34%of the security officers had MIS and computer backgrounds, 20% came out of law enforcement, 16% had military backgrounds and 14% had intelligence experience.
"You can take any smart individual and turn them into an information security practitioner with the right training," said Brody. "What the person also needs to have in order to climb up the ranks to chief information security officer is a tough skin, the ability to organize chaos into order, the ability to communicate effectively across the divide of senior management and engineering…and be equally comfortable in the coat-and-tie boardroom as in the Hawaiian shirt-and-jeans back office and IT department.
"Those are skills that no one teaches," said Brody, who started in the intelligence community, moved to the command-and-control world and got into information security (multilevel security across domains) and then CISO positions after several managerial roles. "You have to go learn them. You have to go find the problem, solve the problem and move onto the next problem, and then build your resume accordingly."
Proctor recommends that larger organizations first create a role definition and then "find someone who understands the business first and security technology second."
"If you think the problem can be solved by technology, then you probably don't understand the problem," said Brody. "What really has to happen is this holistic approach. Executive carriage is important, but you cannot be ignorant of the technical aspects. Part of your job is putting in place technical controls, and those controls relate to a compliance framework…and you have to be on top of that, too."
With the steady stream of new security controls, picking the technology that fits into your architecture is a daunting task and may be one of the hardest aspects of the job. "There are just too many good ideas," according to Brody, and a thorough assessment of all of the technology controls out there is completely missing in the information security space.
Each information security officer is making his own decisions, and, unfortunately, some of the best ideas are point solutions. "The chief information security officer can't focus in on point solutions when there is an entire architecture to secure across all different areas," he said. "A point solution doesn't solve 1% of the problem, so you are always looking for enterprise-wide solutions that you can put in place to improve the risk profile."
Uncharted career path
Despite the critical nature of these jobs, the information security career path has been poorly defined and more workers are needed. The Department of Homeland Security's National Cybersecurity Workforce Framework released in July 2013 is designed to educate the workforce about roles, skills and career paths. It was developed by the National Institute of Standards and Technology and the National Initiative for Cybersecurity Education in conjunction with government and private entities. According to the Workforce Framework, the CISO is one of the positions -- information systems security officer, IT director and risk executive are others -- tasked with managing the security program:
Manages information security implications within the organization, specific program or other areas of responsibility to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness and other resources.
As far as cybersecurity is concerned, the chief information officer deals with strategic planning and policy development, according to the framework. The Clinger- Cowen Act (formerly, the Information Technology Management Reform Act of 1996) defined the CIO role for the government. The Federal Information Security Management Act (FISMA) in 2002 defined a senior agency information security officer, which has since become the chief information security officer. Both of these roles are continuing to evolve.
While the CIO and CISO work in concert in any enterprise, the job of the CIO fundamentally is "power, ping and pipe," according to Brody. The CISO's role is to protect, defend, react, respond and recover, and that continuum of information security may interfere with the CIO's budgetary priorities and desire to keep all systems operating. Reporting channels that bypass the CIO and go directly to the board of directors and other C-level executives often result in higher compensation, according to the Ponemon study.
How the CISO reports to the board
Study of companies with 1,000 or more employees
|No reporting occurs||33%|
|Informal, event driven||32%|
|Formal, regular intervals||19%|
|Informal, at will of CEO/board||5%|
|Formal, irregular intervals||3%|
N=133 CISOs, 2013 Salary Benchmark Report, Ponemon Institute
"Both of these roles are evolving. "Think about the future of IT technology. If every enterprise goes to bring your own device and reduces its infrastructure and puts it all in the cloud -- pretty soon the role of the CIO and the role of the security officer will, almost, flip," said Brody.
The industry needs to define a career path for information security practitioners and do a better job of moving them along in their careers. The CISO career is only now defining itself, according to Brody. "This is a career field where successes are not normally recognized, failures are blown out of proportion and sometimes land on the front page of The Washington Post," he said. "But it's very rewarding in terms of psychic enjoyment, that feeling of accomplishment at the end of the day that you've done something. There is no routine when it comes to information security."
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this article to email@example.com.