- David J. Sherry, Princeton University
If you have worked in information security for the past 15 years, you have witnessed a maturation in the mission of security that is quite remarkable. In its infancy, security was oftentimes viewed as the troglodytes at the end of the corridor, who focused on analyzing packet streams, firewall logs and anti-virus anomalies. Some of the fear that hovered over security practitioners was simply the result of the role that they played, and their secretive and covert way of performing their duties. Still, security practitioners diligently performed their tasks, and sought and gained increasing relevance.
Fast forward to the current day, and you will see a new view of security in many enterprises: security is evolving towards a broader focus in risk management. The responsibility of traditional information security has not decreased in importance or duty, but the mindset and role has certainly become more risk-based in nature for security leaders and many current CISOs. And this is appropriate, as information security management at its core is the mitigation, transference, reduction and elimination of risk to the enterprise.
Many CISOs’ responsibilities now include privacy and its related functions and regulations; compliance with federal and local mandates and external entities; and a deeper penetration into legal arenas. And this makes sense, as a seasoned and trained security executive would have the right qualifications to take on this wider scope. As privacy and compliance continue to gain importance in the success of an enterprise, and with some hesitancy of adding senior headcount, assigning responsibilities to the CISO is a sound business model.
Aside from the demands on time and prioritization, such a move is seen as an extremely positive transition for the security profession. A security professional oftentimes brings a different skillset and experience to the table, identifying both the risks and their solutions in a way that may not have been seen in the former structure. A move to include risk management with security has also enabled the mission of security to take some additional spotlight, which has become an unexpected fringe benefit to taking this broadening role. An experienced CISO or similar security leader can share solutions that are more holistic in nature, and support the establishment of processes that can satisfy different risk and compliance concerns in several different areas. This can only be seen as a positive for information security.
Defining the New Security and Risk Function
The biggest challenge is sometimes the scope. The increasing responsibilities can sometimes impact the focus that is necessary in the day to day security function. There could also be some pushback from the IT security function itself, as some of the technical operations may not see the need for the risk-based methodology. Also, establishing the credibility of a newly expanded function is something that must be overcome confidently and quickly. The function needs to be implemented iteratively, beginning with a board-level mandate, wide publicity, seed financing to establish base level solutions and the celebration of documented success. It is also important that the CISO establishes the powerful tool of a high-level and cross-functional committee of enterprise leadership that meets regularly on all things security, risk, privacy and compliance. Having this group be both a sounding board and an approval authority, will have a positive impact on how the expanded security and risk function sees their role, and how they fit into the overall risk management posture.
There are obvious economies of scale with combining the functions as well. Partnerships with audit, legal and risk can be developed or deepened, and common solutions and needs can be identified and addressed. Having a more holistic approach, with several key function heads on the governing body, will also bring more spotlight on the original security function, and aid in validating their mission. Security can now be observed chairing and leading the decision-making process in several key areas, which would have been unheard of only a short time ago. Finally, in the area of incident response, what was traditionally handled in the IT world is now shared and communicated to a wider audience. This has enabled the old mantra of “it’s a technology problem” to be reduced or eliminated, and allowed the security and risk function to now be seen as contributors to the success of the enterprise.
Security has reached a new juncture in its maturation as a discipline, one where an expanded role with more impact can now be achieved. It wasn’t very long ago that security was looking for a seat at the table. Now its practitioners are not only sitting there, they may be wearing more than one hat. Now is the time to embrace this evolution. Security practitioners has worked hard to establish relevance in the enterprise, and the recognition that a company would want the security function to take on increasing responsibilities is a humbling and exciting one. It validates the actions and thinking that has been developing as a security community, and establishes the function as a business one in addition to a technology one.
It’s an exciting time to be in security and in a CISO role. I would imagine that if we have a similar conversation in two or three years, we would be looking back with pride at our expanding security discipline, and embracing the next wave of challenges. Put on those hats!
About the author
David Sherry is the chief information security officer at Brown University, with university-wide responsibility and authority regarding matters of information security and privacy. He leads the Information Security Group, charged with the development and maintenance of Brown’s information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Send comments on this column to firstname.lastname@example.org.