sdecoret - stock.adobe.com
Today's CISO has many demands placed on her: reduce risk, defend budget, dejargonize tech language for the board and the executive team, and separate noise from signal when it comes to vendor claims. All these tasks focus on enterprise assets that need to be protected, from laptops and servers to databases and cloud shares to rapidly expanding IoT environments, data lakes and so forth.
However, this is only one dimension of a CISO's responsibilities. There are two equally important dimensions any forward-looking CISO should embrace, recognize and protect. First is being an active stakeholder in the product or service the CISO's organization is building. Second is embracing the role of a personalized advocate for her customers -- especially the smaller ones that don't have a CISO of their own -- based on data that may already be harnessed by her organization's offering.
All this needs to be done with an increasingly important cultural awakening that can expose or elevate enterprises -- one that CISOs are in an all-too-important position to ignore: ethics.
How can security and ethics be achieved and coexist while a CISO simultaneously conducts enterprise protection, takes part in product development and acts as an advocate for her customers?
Ethics and traditional enterprise protection
One of the biggest goals for any CISO is risk reduction, which largely involves one of the biggest challenges in enterprises today: insider threats. From malicious or disgruntled workers to overwhelmed employees simply making poor choices, insider threats are a major enterprise security risk. A CISO must adopt new methods to control insider risks, whether it's a cloud access security broker watching over an employee's SaaS interactions or a mobile device management system that has access to an employee's contacts, phone logs and other personal information. However, many employees are not aware that they are being watched.
Traditional new hire disclosure statements or annual compliance quizzes don't cut it when it comes to empathetic security and privacy awareness training. Some forward-looking CISOs have embraced gamification, while others have consultant psychologists to understand how different demographics consume and retain to constantly adapt corporate training methods.
Bottom line: CISO thinking needs to evolve to engage in transparent and empathetic employee education, while simultaneously implementing programs to reduce risk.
Security and ethics in product engineering
A typical enterprise CISO does not involve herself with product definition or development. However, a forward-looking CISO must. For example, consider providing customized recommendations and suggestions to a customer using your company's SaaS product -- a great idea. But does the customer know his use of your product is being microinstrumented and analyzed all the time by default? Is there an opt-out? Or an incentive to opt in? Who owns this instrumented data? And who owns the predictions that come out of the machine learning tool?
Some product teams have the smarts to consider such questions, but a CISO and her team think about them all the time. As CISOs have this expertise and constant mindset, they should be willing and able to have such input during product engineering.
Bottom line: A CISO can become a trusted business partner if she ingrains herself as a security and privacy advocate during product development.
Ethics, security and customer advocacy
Let's continue with the SaaS product example. Using analytics to upsell a premium subscription is the typical freemium model that most companies use, so why not use these analytics to suggest better privacy and security protections?
A B2B company always has data on the size of the company it is serving, and it is quite logical to assume that the smaller a company, the less likelihood that it has a dedicated CISO or a chief privacy officer. It may be prudent for the CISO of the B2B company to assume the role of a virtual CISO for her smaller customers. Using analytics on how the product is being consumed, the virtual CISO could provide customized and personalized security and privacy recommendations for better product usage. Even more impactful, with the constantly changing regulatory landscape -- GDPR and the California Consumer Privacy Act, for example -- a virtual CISO could help smaller customers understand how these new regulations could impact them and incorporate that into that feedback as well. Wouldn't that make your customers truly grateful and secure?
Bottom line: A CISO who extends herself as a virtual CISO to the smaller customers her company serves and turns the data already being harvested by her company into valuable security recommendations would stand out among her peers.