What are the duties of a CISO? It depends
David Nathans, CISO at large U.S. defense contractor
Due to my successful work leading remediation programs for organizations like TJX, I regularly get called upon to help companies that have been breached or wish to prevent a major breach.
I help by building highly efficient and effective security programs, or to evaluate existing programs for possible improvements. During these evaluations and consultations, I often find myself looking more at the capabilities of the CISO then the skills or processes of the security team currently in place. I have been involved in a lot of debate on whether a CISO should be a technical leader or more of a policy writer.
There is no doubt that the role of the CISO is to be a thought leader in the area of IT security, but that is where the agreements end and the debates begin. As security has become more important to organizations, and security minded people continue to bubble up the importance of security issues to senior leaders in an organization, the role of a CISO takes on a form of its own that is specific to the company. This means that CISOs have different focus areas that they need to specialize in depending on the culture of the specific organization they serve.
There is nothing wrong with this. In different organizations, most job functions including CFO, COO and even the CEO will vary with some degree. But, at some point the varying amount of differences will make it hard for an organization to hire the right kind of CISO. That same organization may not even know what they need.
Here are some critical functions that a CISO needs to be able to perform to be an effective leader. This is not meant to be an all-inclusive list, just one for readers to decide if these items can be effectively accomplished by a technical or non-technical individual.
The right person needs to be given breach responsibilities and needs to act quickly and in the best interest of the company when something does go wrong. This should entail the ability to know when a company has been breached, at what level and with whom the communication of the breach event should be, what the immediate actions are that need to be taken to properly protect the organization, and what steps should be performed to contain the breach. Ultimately all of this would either roll up under the CISO or performed by the CISO directly.
As a company progresses forward in business, new technology can help with innovation by bringing new products to market, improving on existing products, opening up new revenue streams or modernizing existing ones. An organization that is dedicated to ensuring that their customers and data are protected will typically rely on some entity to help them build or implement secure infrastructure. This can include implementation of new technologies into the monitoring capabilities of security operation centers, or the selection of specific technologies that are more secure than others, but all the while helping to enable the business.
The security team's function could be implementation or just be a validation that chosen technology complies with security policy. A CISO and his or her organizational leaders need to be able to direct technical staff to ensure business objectives and risk tolerances are met.
Further, a CISO must be able to speak to senior members of an organization and, in some situations, a board of directors. his is no easy task, as the person filling the CISO role needs to be able to articulate complex technical issues and risks effectively and in a way that is clear, quick to the point, can be well understood, and does not cause any unnecessary panic.
Not only does the CISO need to be a good communicator at this level, but they also need to ensure they understand their audience and make the right decisions on what to bring to their attention. Most often then not, a CISO may only get a small amount of time every few months to be in front of a board. They need to know how to make it time well spent.