Recently I’ve been giving a lot of thought to the role of information security practitioners in an organisation. The role of the CISO, CSO and IT security are fairly well embedded in many industries by now, and Carnegie Mellon’s ‘Governance of Enterprise Security’ 2010 CyLab report notes an increase in the number of CSOs . This isn’t a surprise given the environment we find ourselves in, but what are they there to do, what are the differences, and how do we measure their value?
It’s an intentionally broad question as I don’t want to focus on the detailed view based on company market, size, location, etc (although I acknowledge these are critical factors to consider). Rather I ask about the principles of information security. We will all probably agree that the CISO job spec will address topics such as security strategy, policy, awareness, incident response and in some cases business continuity. What seems harder to get consensus on is the level of responsibility assigned to this role.
Bill Brenner at CSO Online  ran a series of podcasts recently which discussed this topic in some detail. He interviewed CISOs and asked questions around reporting lines, the difference between CISO and CSO, and what should a CSO be worried about.
The key points that stood out for me were:
1. Many organisations don’t have both a CISO and CSO;
2. However, a CSO often has a focus on physical security only,
3. While a CISO is often a promoted IT security administrator.
I find these results a little worrying. A CISO should be responsible for information security, both physical and electronic. Reporting lines need to reflect this, so they can have a line into the CRO or the CIO, proving the latter is also not still solely focused on IT (which is often still the case). Physical security is an element of information security, although it is broader as information is not the only asset the CSO should be worried about protecting. I can believe the last point about the evolution of an IT security manager into the role of CISO – the security function originated from IT (typically network and server admins), and organisation’s realised the need for security to gain a higher presence with senior management and the executive, and so promoted those that knew the most about the technical aspect into the CISO role.
So in terms of responsibilities, I don’t think there should be too much ambiguity. The often grey areas in terms of requirements for a CISO and/or CISO depend on the DNA of the company (i.e. its structure, delegation of responsibilities and classification of critical assets). Regardless, they are there to drive strategies, implement and monitor programs that manage the risk of (information) security in the context of the business.
Measuring value is harder to quantify. To start with, I believe any role that carries the title of ‘officer’ comes with a high level of responsibility and accountability. However this is difficult to implement for the security officer who often sits at the centre of an organisation, while the actual risk is borne in the divisions – areas not directly under this person’s command. Also, a large part of a CISO’s ability to succeed will depend on the responsiveness and cooperation of the business. Working in audit I appreciate that it can be very difficult to identify and manage risk if the business does not have a culture of open and honest communication. It can be a double-edged sword, as the business may want to see the value the CISO provides (despite their exec-level mandate) before warming up to them.
These days organisations can be very complex in structure, and often evolve to match or make market conditions, take on new lines of business, etc. So it would be a little unfair to expect the CISO to solely keep tabs on the changing security risk landscape and to measure their success in isolation. Rather I believe an equally important factor to gauge is the amount of interaction with other security, risk and assurance provider practitioners in the business. The collaborative approach will have a greater chance of success as coverage across all business processes and technologies will be more effective, not to mention leveraging of different skill sets and more resources. I’m not sure if the performance of a CISO always includes this measure, but it should.
On another note, organisations are not immune to the risk of inadequate security functions, as with any other specialist function. Many employees, including senior management, may not fully understand the role and responsibility of security officers. Thus they will find it difficult to measure the success of these staff. For example if no security incidents occur over the course of a year, was it because the security function was effective in thwarting any attacks or events, or were they not good enough to detect any incidents that did take place? I don’t see a simple answer to this. Often it is those who shout loudest in an organisation that come across as being in control, so if this is the CISO, then it would be difficult for another non-InfoSec person to challenge their effectiveness, while if it is the CIO or CRO that shouts loudest, then it will be very difficult for the CISO to gain respect with and access to the execs.
For me the most important elements of a security function are accountability, responsibility and ownership. It is a role that requires someone to be practical yet, in my opinion, also sceptical (almost paranoid) as someone in the organisation needs to play the role of asking ‘what if’? or ‘what could go wrong?’. And they need to be at a sufficient level in the organisation to discuss and challenge senior staff.
If I were to draft a CISO job spec I would certainly include the details at the start of this blog, but would also include the following:
• Responsible for managing the security of the information assets
• Accountable for strategies and initiatives that improve insight into security protection and monitoring
• Responsible for implementing a culture of ownership relating to company information, and driving related ethical and moral standards in accordance with corporate governance best practices
• Actively involved in driving collaborative assurance and risk management processes with stakeholders such as internal audit and operational risk
• Responsible for implementing a dynamic control environment, leveraging off continuous monitoring processes (I would certainly recommend looking into the SANS Top 20 Controls )
I believe that by using the correct language the role and expectations can be clearer, leading to a greater chance of success for the CISO, which is of course what we all want.
In terms of personal characteristics, I would include the following:
• Must be knowledgeable of the business and practical in aligning security business strategy and operations (this may be a challenge if pure IT-folk fulfil the CISO positions)
• Must have the ability to exercise professional scepticism when identifying and assessing risk
• Must have the ability to quantify information security risk in terms of the business
I guess the next question is: What should the CISO’s team look like and how far should they reach into the organisation…?