The role of chief information security officer (CISO) is a relatively new addition to the executive team in most companies and it is not yet completely understood. Most executives understand the need for information security, but remain unaware of the operational tasks undertaken by the CISO to build a secure environment. This isn't a new situation for technology executives; the chief information officer (CIO) role also took time to be understood by other execs. The CIO, however, had the benefit of delivering the tangible capabilities that come with the adoption of information technology. A CISO's purpose -- to mitigate risk -- is much more abstract, making it more difficult to understand.
The CISO's purpose -- to mitigate risk -- is much more abstract, making it more difficult to understand.
For other executives, the CISO may be viewed as someone who requests people and financial resources to prevent technical, and possibly incomprehensible, events. The perception of the CISO role will change as the importance of information security becomes more readily appreciated among executives and the role continues to mature. In the meantime, CISOs may find themselves with limited resources and no direct line of authority over those in the company who can impact infosec programs.
So how can a CISO navigate this political minefield to build a successful program? In this tip, we'll discuss the specific set of skills and circumstances needed to be successful in the CISO role.
Winning influence with other execs
First and foremost, any CISO that plans on having success needs to win the backing of an executive or the executive team. This support can only be earned by building relationships with each member of the executive team and establishing your expertise in both business and infosec matters. A CISO's greatest asset in building these relationships will be in listening to the executive's needs and matching them to information security objectives. This step is critical for developing the authority required to influence employees in other areas. Authority cannot be used by itself to make change, and overuse or misuse of authority can damage a CISO's credibility irreparably.
A CISO who gains the authority to make changes then needs to know how to explain these changes to other employees. Typical enterprise users are unlikely to have technical knowledge, so security execs should explain how information security affects the business and, as a result, each employee. Such outreach activities build the CISO's credibility and help to bridge the IT security knowledge gap facing users. Another wonderful side effect is that the CISO will hear firsthand what is important to the business and can adjust the information security strategy accordingly.
With the task of gaining authority out of the way, the CISO should begin actively engaging the business in information security decisions. This can be accomplished by building a governance body with the purpose of providing feedback on current issues and to act as a sounding board for possible fixes. The governance group should include representatives from the legal, technical, human resources and business areas of the company. This allows them to have ownership in any information security decisions to be made and also serves as a platform for education.
Finally, while CISOs obviously need to have business acumen to succeed with nontechnical execs and users, security executives with only business skills will have problems convincing the technical team to follow their lead. IT professionals can be a cynical bunch and will pick apart any idea that comes from ill-informed decision makers. A CISO must be able to talk and listen at a technical level that will garner acceptance from the technical teams.
Selling information security
If you think that all of these suggestions sound like they came from a book on salesmanship, you aren't far from the truth. These are simply ways to influence people and sell them on the importance of information security, but they're easily applicable to any other field with the right tweaks. Essentially, CISOs need to focus on identifying their target customers (in this case, other executives and users) and selling them on ideas in their own language.
The CISO role will continue to mature and achieve more acceptance over time just as the CIO role has in previous years. Until then, CISOs must spend considerable time educating companies on the value of security. CISOs must use a variety of techniques to reach their audience and garner influence. Only then will a CISO gain access to resources outside of his or her span of control to build a successful information security program.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed on various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.