The CISO role has come a long way in a very short period of time, but not always under the best of circumstances....
Data breaches have monopolized the media headlines as more organizations fall victim to malicious activity. The first thing these organizations often do after experiencing a data breach is fire the current CIO and hire a CISO; as an example, Nieman Marcus hired its first CISO following its disclosure of a major data breach last year. This is not the easiest way to introduce the new role to the organization, but it is typically how it happens. The organization has "checked the box" by hiring a CISO and now can go back to the previous routine of ignoring information security because the immediate crisis is over. Meanwhile, the CISO job description has expanded to an unrealistic scope of roles and responsibilities that put these executives on the hook for aspects beyond their control.
The CISO quickly inherits all aspects of information security, including architecture, compliance, disaster recovery, identity management and incident response without the associated financial and human resources. No one person can possibly master all of these disciplines or have time to execute them with the appropriate expertise. As a result, the organization's security program starts slowly and many known vulnerabilities are left unremediated, to say nothing of the unknown vulnerabilities. Unfortunately, management often believes all security problems are solved with the addition of this one position and are not interested in the CISO's requests for more help.
Challenges facing new CISOs
One of the issues that makes a new CISO role so difficult is the lack of any previous information security program. The new CISO has to reverse all of the previous information security sins committed by the organization over many years. Improving organizational information security may involve major architectural changes to the infrastructure that can be expensive and time-consuming. Costly upgrades to core business applications may be necessary in order to support modern operating systems. End users may revolt because, for example, they are not accustomed to changing their password or having inactivity timers on their devices.
The CISO must make all of these changes with employees who report to other executives since there are limited human resources in information security. CISOs don't typically have reporting relationships with the employees in IT who manage system security even though they are ultimately responsible for it. They have to instead convince skeptical IT staff to address vulnerable systems and architectures. They have to sell the information security program and convince other executives that information security projects deserve some priority in human resource allocation decisions. Progress on improving information security can slow to a halt if the CISO is mired in the bureaucracy of the organization.
Enterprises can empower the CISO through executive support and appropriate resourcing. The IT employees who manage daily operations do not have to report directly to the CISO, if the executives over IT place priority on CISO recommendations. This helps to allocate both human and financial resources to information security priorities. Information security will not be a priority to the organization if it is not a priority for the organization's executive management.
The difficulties of the modern CISO
The modern CISO has been given an almost impossible job. It should be no surprise that so many organizations are breached even when they have a CISO in place. Similarly, the trend of CISOs leaving their posts for other executive positions shouldn't come as a shock.
The limited human and financial resources available to their departments force them to attempt to master a daunting number of security- and technology-related disciplines. They are usually walking into environments that have not had any security measures in place and require years' worth of expensive cleanup. The employees who need to accomplish all of this work do not report to them and often have competing priorities. These factors make being a modern CISO an increasingly difficult proposition for even those who feel up to the challenge.
About the author:
Joseph Granneman is SearchSecurity's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.