Tommi - Fotolia
- David J. Sherry, Princeton University
A New York Times article in mid-2014 grabbed readers' attentions with a provocative opening line: "Pity the poor chief information security officer." Predictably, the article generated a great deal of discussion, especially when it went on to indicate how critical the CISO job is to an organization. We in the security leadership profession were happy to have the spotlight for a while, even if the genesis for the article was a series of high-profile breaches that all pointed back to the security posture of the respective organizations.
In the three years since that line in The New York Times appeared, has the perception of the CISO changed? Has the CISO job itself changed? My belief is yes, both the perception and the role have changed, and all for the better. CISOs now find themselves in more strategic positions, at higher levels of the organization, and with their judgement and decisions being a differentiator in success of an IT and security program.
The role has broadened and has become different from when security management first began: For the CISO of 2017 and beyond, it is all about risk management. Before I address this, let us take a brief look at the past to see how we got to this point.
The CISO job past and present
In the early days of security, the premise was easy: You threw in a few firewalls, made sure your antivirus was running and up to date, and responded as needed when the inevitable worm arrived to affect your network. This was pure IT security, and rarely was there a security program, let alone a security manager. The function was -- quite appropriately -- located in the network group, which had to fight for resources and relevance among the information technology areas of the enterprise.
As reliance on the network matured, as well as the vulnerabilities and those who exploit them, companies realized the need for a focused security program. Since 2000, the existence, size and budget of security programs and the number of staff and IT security leaders have exploded. The title of chief information security officer came into vogue, and using the title CISO no longer drew quizzical stares from those who asked what you did.
In the last ten years, another maturation has occurred in the CISO job, from being solely IT-centric to a leader that is now a trusted advisor to the highest levels of the organization in risk management and data protection. Of course, this is not to say that the responsibilities of a CISO are one-size-fits-all. You will find people holding the title covering multiple areas of the security spectrum, including traditional IT security, awareness, disaster recovery, forensics, operational response, endpoints, risk assessment and more. The scope and scale of the role depends upon the organization's size, finances, security focus and risk appetite.
I do see an important differentiation occurring in the last few years: a distinct separation between IT security and information security. IT security is a necessary and important part of an organization's network, and a key success criteria in designing, building and maintaining a robust and secure infrastructure. This will never go away as a discipline or a critical need.
Information security can oftentimes now be found separate from the network and infrastructure components of security. An information security leader provides guidance, expertise, counsel and risk-management strategies to reduce the amount of risk the organization takes to an accepted level. Areas often included in this role are awareness and training, compliance, assessment, architecture and engineering, all with a focus on design, governance, compliance, response and influence.
The information security office that I lead at Princeton University is designed and built for this model. We have expertise in architecture, engineering, threat assessment, compliance, risk management, messaging, training and awareness. While each staff member may have a unique focus in their role, we think and act as a group for holistic solutions, actions and communications to reduce risk to the organization. Our mission is to make information security both programmatic and cultural throughout the university. While it is built in to several lifecycles, we reduce risk because all members of the community are aware of and embrace a security mindset.
We are full partners with our IT security colleagues, but the separation allows us to act proactively to establish our security posture and reduce risk, and allows the network staff to maintain and monitor the infrastructure that meets or exceeds our security benchmarks and standards. This allows both groups to focus on their individual key competencies while together securing the university.
It should be noted, however, that in higher education, adoption of the CISO role has been slower than others, a situation which has been observed and reported by research experts. "In higher education, we are seeing a very slow adoption of the CISO role, except in the most well-funded four-year, private, not-for-profits and large public universities," stated Katelyn Ilkani, vice president of cybersecurity research at The Tambellini Group. "Our research shows that collaboration among peer institutions is critical in this space, and the notion of a 'shared' CISO resource between peer institutions is increasing in popularity."
I can attest that the cooperation, collaboration and sharing among the higher ed security community is constant and meaningful. We recognize that not all institutions can fund a dedicated security team or have a CISO role, while also recognizing all higher ed is a target. The aspect of shared responsibility across the community is one that we take seriously, and while we may compete for students and in sports, there are no competitors in information security.
From no seat to multiple hats
I have previously written on this evolution toward the CISO as a trusted advisor and how it has affected our discipline. Gone are the days of looking for a seat at the table: CISOs may now find themselves at the table wearing more than one hat. In the past, security professionals may have been overlooked; now, they are speaking as the advisor for information security, risk reduction and the business impacts of compliance, privacy and more. Pete Lindstrom, vice president of security strategies for IDC, put it this way: "Today's [CISOs play] many roles in their organizations, from techie and manager on through to auditor, lawyer and cop. The key to success is knowing when to put on the hat that fits the best."
Which brings us to another point: What are the skills that organizations are looking for to successfully lead a security organization? For the vast majority of CISOs, a technical background is a must. While CISOs may no longer be hands on in their day-to-day responsibilities, the need to understand the technology, speak the language appropriately and work closely with the people who install, manage and maintain the technology is critical. Having security leaders who are respected for their technical experience and knowledge is essential to their success. They must also be able to influence the direction their company takes, which brings us to the nontechnical skills needed for success.
Influence and persuasion are necessary skills for making a company's security plan programmatic and cultural. I have found that there are exceptionally few times that I must demand security adoption. Convincing your organization to do the right thing creates additional buy-in and acceptance of the security program, and it increases the chance and speed of success.
It is also necessary for the CISO to be a strong leader, with strategic thinking skills, a vision about where the security program should be and a plan to get there. The CISO job is emerging as a strategic player, and without leadership skills, there may be hindrances to being accepted by the board.
I speak from experience in strongly urging that all CISOs receive an advanced degree. While a technical or computer science degree are strong credentials, I am witness to the power of an MBA in the CISO toolkit. A master's gives you wide business and management skills and establishes your credibility in the eyes of others who have advanced degrees, a powerful combination to having your voice heard.
And of course, being able to disseminate information across all levels of the organization can make or break your program. That MBA -- and the ability to back up talk with concrete data -- is of great help when speaking to the board, experience as a network architect or sys admin helps in the discussion with the technology staff, and an ease and wit when presenting awareness sessions endears you to the organization's general staff. Recognize this, develop your skills and tailor your communication as needed.
Collaboration, physical security and IoT
I would be remiss if I did not mention how physical security impacts the CISO job and that there are some organizations that combine the responsibilities of the digital and physical worlds. While most models do keep them separate, it is critical for the two areas to collaborate. With the increasing number of IP addressable devices, the CISO can have a positive impact on the success of the physical world of the organization.
I asked Diana Kelley, chief security advisor and co-founder of SecurityCurve, how the CISO's role of protecting information has a physical component as well. "Information has leapt out of the digital-only space into the physical world in a big way," Kelley said, "making the CISO's threat surface vast and multidimensional. Whether CSO and CISO morph into one role or become closer partners, one critical future for CISOs is awareness of and ability to protect information in the physical world."
Awareness is the key word in Kelley's quote. CISOs who are successful in this cross-functional collaboration recognize the criticality of this, and have established strong partnerships by providing technology solutions in support of physical security. As we witness the rapid and exponential increase of internet of things (IoT) deployments, information security and data protection must be part of the conversation and take the lead in securing the environment digitally.
Tina Thorstenson, assistant vice president and CISO at Arizona State University, looks to collaboration and partnerships for IoT success, providing secure solutions to achieve the university's needs. "We are using IoT technologies in many areas of the campus," Thorstenson said, "and we've provided and maintain dashboards using the data from the devices to improve services on campus, including our game-day experience. Moving forward, we plan to enable and empower public safety in protecting the physical aspects of campus while we network the devices securely."
The current state
Do any of you describe your role to others as risk management? I certainly do. We are expected to speak in the language of risk, talk of probabilities and impact, and relate our posture to widely accepted frameworks. We are relied upon to assess the future risks that might impact our organizations, cut through the morass of solutions and products, and understand the effects of IoT and advanced persistent threats. We are in our roles to ensure that our businesses can have continuity and uptime, or respond quickly to a disaster and recover services with little or no impact. We defend and protect our entity's reputations and establish the necessary controls and reports to ensure compliance. That, in its essence, is risk management.
As a profession, we also can observe our scope and impact becoming broader. When our programs are successful, our organizations are confident in listening to our assessment and adding additional responsibilities to our portfolio. They may look to us to lead identity, privacy, records management and other key areas. What a sign of respect this is, and what an impact we can have on our roles and organizations when thinking about lowering risk holistically through many areas of influence.
What does this mean, and where do we go?
While our role is now recognized, it continues to evolve. How do we address this? I believe that the message for all of us is to embrace it. The information security profession has worked hard to establish relevance in the enterprise, and the recognition that a company would want the security function to take on increasing responsibilities is a humbling and exciting one. It validates the actions and the thinking of the security discipline that we have been developing as a community and establishes the function as a business one, in addition to a technology one. That's a great evolution for us.
The evolution also highlights that security is ultimately about managing risk, and CISOs are really risk managers at their core. Whether it is architecture, compliance, privacy, risk assessment,or business continuity, it's really all about identifying and managing the risk posture of the enterprise.
I foresee that the CISO will continue to evolve upward in all organizations. You can easily find numerous articles and participate in many surveys of "who should the CISO report to?" The answer to that question is quite broad, depends upon the organization and has zealots passionately arguing their case. If we continue to influence, if we continue to provide increasing value and if we continue to provide risk management success, then the only way for our role to go is up. We see an increasing number of CISO roles being posted at the board level, reporting directly to the president or CEO. I applaud these organizations for recognizing the role of the CISO in the success of their companies.
And I will applaud each of you as well when you achieve that level.
Learn how a new CISO is tackling her role in a challenging business sector
Interested in a CISO job? Learn what certifications are vital
The CISO job is changing, and so are infosec conferences
Dig Deeper on Information security certifications, training and jobs
Top 10 CISO concerns for 2019 span a wide range of issues
Experian's Tom King tackles role of CISO from the ground up
Challenging role of CISO presents many opportunities for change
A new IT security role, a tested reporting structure