Tommi - Fotolia
Published: 01 Dec 2016
The head of information security is a role that differs from company to company. Some organizations assign the job title in name only. Others view the CISO job description as primarily a technical role. Large enterprises look for a seasoned executive who can lead the information security program (read: build one that works) and implement cybersecurity policies tailored to business strategy.
"Ten years ago, we were buried in the infrastructure team, and we were known as the 'security guy or gal,'" says Scott Howitt, senior vice president and CISO at MGM Resorts International, who is profiled in this issue. In Howitt's view, the CISO role has been elevated, in some cases, to an executive level on par with the CIO.
At Fortune 500 companies, the CISO job description is less about technology proficiency and more about information security -- intellectual property and data protection, risk management, forensics and investigation, business continuity and disaster planning, regulatory compliance, data privacy issues -- and strategic security initiatives. Building a threat intelligence capability and communicating risk to non-security executives, especially ownership of risk in the cloud -- as Dave Shackleford explains in his column -- are two areas that will receive increased scrutiny in 2017.
"Cybersecurity is not really a technical venture," says Larry Larsen, CISO of the Apple Federal Credit Union. "It is a behavioral venture in a technical environment, and that is where the counterintelligence approach comes in," he tells Jaikumar Vijayan, who reports on cyberthreat intelligence programs for this issue.
Should the CISO influence the IT organization or be part of it? This is an ongoing debate. The first CISO was brought in to perform a business function -- not IT -- in the mid-'90s. Steve Katz was hired at Citicorp -- before the blockbuster merger with Travelers Group in 1998, which created Citigroup -- after the banking giant was breached. Citicorp executives realized that they needed an executive-level security function to protect their financial services business. Yet companies today do not allocate resources for a dedicated security officer, and the CISO job description is still unclear to many business executives. Funding is an ongoing issue as well because the position does not generate revenue.
Is the organization safer with a CISO? That's the bottom line.
The Obama administration appears to have come to that conclusion -- after the Office of Personnel Management breach -- with the September hiring of the first Federal CISO, retired Brigadier General Gregory J. Touhill, a move pledged in Cybersecurity National Action Plan. (Will this be a CISO position in name only, as some have suggested?) As Touhill works to implement cybersecurity policies and best practices across agencies, he will have help in the form of Acting Deputy CISO Grant Schneider, the former CIO at the Defense Intelligence Agency and, most recently, director of cybersecurity policy for the National Security Council.
This CISO job description is not going to get easier. Rapidly changing infrastructure, untethered devices and the internet have ushered in vulnerabilities and threats that have increased the challenges of securing data and information systems. The CISO job description continues to demand technology knowledge, business acumen and cybersecurity skills. In this special CISO edition of Information Security magazine, we talk with chief information security officers from different industries -- entertainment, financial services, healthcare, retail and technology -- about the evolution of the CISO position and some challenges ahead.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.
Do companies want business or technology skills for CISO role?
Why the CISO job is getting too broad
Requirements to consider when hiring a CISO