CISO: The great enabler?
Arthur Lessard, CISO, Universal Music Group
The CISO role is now working with lines of business, says Arthur Lessard, CISO, Universal Music Group. Karen Epper Hoffman reports.
Once considered the executive most likely to nip a plan in the bud, the chief information security officer (CISO) is quickly becoming the person most likely to help make things happen.
Case in point? Arthur Lessard, SVP and CISO for Universal Music Group (UMG), positions himself less as the barrier for the music giant's business line executives and more as a go-to guy for helping UMG's various music companies and labels achieve what they want to do. “The role has really changed in the past 18 months,” he says. “It used to be mostly about IT security, but [it is] making more of a shift to a business focus. That's more of what I do. We have to recognize that security is a business decision and we can't make those decisions without spending a lot of time with the businesses themselves.”
For Lessard, who previously served as a CISO at Mattel, that means less time spent writing long security policies and more time in a hands-on role working with the executives who run the various music labels that make up Universal Music Group, a Santa Monica, Calif.-based subsidiary of French media conglomerate Vivendi. “As CISO, I can't just write policy and expect that to effect change,” he explains. “So I spend time with the businesses, helping them understand their specific risks and understand what the work flow is like and how it's unique.”
Within the last five years, certainly the past two, the CISO role has seen a serious shift in tone and direction, according to Lessard and others in the industry. As opposed to being security's gatekeeper, the voice that could be counted upon to squelch a plan or strategy perceived as too risky or apt to open up the organization too much, today's CISO is more of a protector and counselor for a company's lines of business. “It's a relatively new concept,” says Lessard, who adds that “businesses are starting to recognize that information security groups are a strong partner who can help them make business decisions…more than something to be checked off on a list.”
Indeed, as Charles Kolodgy, research vice president for security products at IDC, a global provider of market intelligence and advisory services, points out that CISOs are making a greater effort to get out in front of changes the business units want to support – whether that's bring-your-own-device policies or greater use of cloud and mobile technologies. “There used to be a saying that the CISO was in charge of saying ‘no',” says Kolodgy. “Now [information] security teams are trying to find ways to enable those business partners, while keeping the risk acceptable.”
Andrew Wild, chief security officer for Qualys, a cloud security and software provider, agrees that while historically, the CISO role was mostly focused on technological leadership, the role still retains that leadership, but is also morphing into more of a consultant or adviser for the business leadership to provide advice and guidance on risk. “In many ways, this is more of a business-savvy position,” Wild says. “It's not about bits and bytes, but about the need to communicate effectively and advise.”