maxoidos - Fotolia
Analysts at Gartner have long asserted that CISOs need to understand the business first and security second. But there is an ongoing tug of war over whether CISOs' responsibilities should emphasize knowledge of security engineering and firewalls, or information risk and policy -- the so-called "soft skills."
As board-level concerns amp up the focus on threat visibility and data protection processes throughout many large organizations, we look at the changing CISO role and reporting structures in "The CISO rises: How is it working out?"
"In my experience, I've noticed that more CISOs come from the policy side," Adam Rice, CISO at Cubic Corp., the parent company of Cubic Global Defense and Cubic Transportation Systems, told me when I interviewed him for the story. "But if they don't have a strong security architect on their team, they are really missing half the puzzle. I would say the perfect CISO is going to be somebody with loads of experience, coming up as a security engineer that has an MBA."
CISOs today require business acumen, according to James Christiansen, vice president of information risk management at Optiv Security (formerly Accuvant and FishNet Security): "They need to go into a board meeting and articulate the risks that they are seeing and explain it to all the other people who are reporting to the board," he told me, "which means they have to change their language, they have to change their presentation style, and they have to be good public speakers."
Adam RiceCISO, Cubic Corp.
Does Gartner's assertion imply that a Fortune 500 company in one industry should never hire a CISO from another vertical? That could prove challenging, as the talent pool is already limited and diverse skill sets are required for many positions. Christiansen says the CISO role is changing to "chief information risk officer" based on expanded duties that extend far beyond the enterprise perimeter.
He wasn't just talking about compliance, another hot button issue. Mike Chapple tackles that subject in his cover story, "The ups and downs of cloud compliance." As the senior director of IT service delivery at the University of Notre Dame, Chapple has dealt with his share of cloud services. In a legacy data center, complying with data locality requirements is fairly straightforward. With cloud computing, location gets more complicated. Chapple advises companies to explore a "shared responsibility model" and retain the right to audit vendors against applicable security regulations. But no matter what cloud services you adopt, you can't fully outsource responsibility for information security, he says.
Whose responsibility is it to handle compliance issues such as location, risk assessment and due diligence even when these services are decentralized? That (thankless) duty usually falls on CISOs. The need for policy and security technology expertise requires many CISOs to absorb a broad level of knowledge in areas that previously weren't part of the job even two years ago.
Boots on the ground and security experience across complex enterprise systems is still a major requirement, in Rice's opinion. "If you become just a 'reg' guy or a compliance guy, you are not going to be able to make good judgments on the threats; you have to know how to get in front of an APT," he says. "You can pass an ISO 27001 audit, get the certificate and pop the champagne, and the Chinese are walking out the door with all your stuff."
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.