The CISO role is now working with lines of business, says Arthur Lessard, CISO, Universal Music Group. Karen Epper Hoffman reports.
Once considered the executive most likely to nip a plan in the bud, the chief information security officer (CISO) is quickly becoming the person most likely to help make things happen.
Case in point? Arthur Lessard, SVP and CISO for Universal Music Group (UMG), positions himself less as the barrier for the music giant's business line executives and more as a go-to guy for helping UMG's various music companies and labels achieve what they want to do. “The role has really changed in the past 18 months,” he says. “It used to be mostly about IT security, but [it is] making more of a shift to a business focus. That's more of what I do. We have to recognize that security is a business decision and we can't make those decisions without spending a lot of time with the businesses themselves.”
For Lessard, who previously served as a CISO at Mattel, that means less time spent writing long security policies and more time in a hands-on role working with the executives who run the various music labels that make up Universal Music Group, a Santa Monica, Calif.-based subsidiary of French media conglomerate Vivendi. “As CISO, I can't just write policy and expect that to effect change,” he explains. “So I spend time with the businesses, helping them understand their specific risks and understand what the work flow is like and how it's unique.”
Within the last five years, certainly the past two, the CISO role has seen a serious shift in tone and direction, according to Lessard and others in the industry. As opposed to being security's gatekeeper, the voice that could be counted upon to squelch a plan or strategy perceived as too risky or apt to open up the organization too much, today's CISO is more of a protector and counselor for a company's lines of business. “It's a relatively new concept,” says Lessard, who adds that “businesses are starting to recognize that information security groups are a strong partner who can help them make business decisions…more than something to be checked off on a list.”
Indeed, as Charles Kolodgy, research vice president for security products at IDC, a global provider of market intelligence and advisory services, points out that CISOs are making a greater effort to get out in front of changes the business units want to support – whether that's bring-your-own-device policies or greater use of cloud and mobile technologies. “There used to be a saying that the CISO was in charge of saying ‘no',” says Kolodgy. “Now [information] security teams are trying to find ways to enable those business partners, while keeping the risk acceptable.”
Andrew Wild, chief security officer for Qualys, a cloud security and software provider, agrees that while historically, the CISO role was mostly focused on technological leadership, the role still retains that leadership, but is also morphing into more of a consultant or adviser for the business leadership to provide advice and guidance on risk. “In many ways, this is more of a business-savvy position,” Wild says. “It's not about bits and bytes, but about the need to communicate effectively and advise.”
Patricia Titus (left), VP and CISO for Freddie Mac, says she has seen the role of CISO morph over the past dozen years that she has managed information security at various organizations. “It's no longer the old ‘in your face security,'” Titus says. “We're working to embrace mobility and the cloud. We don't want to be considered the ‘sales prevention office,' we want to allow them the freedom to innovate.”
Charles Kolodgy, research VP for security products, IDC
Arthur Lessard, SVP and CISO, Universal Music Group
Patricia Titus, VP and CISO, Freddie Mac
Andrew Wild, CSO, Qualys
Titus says that working with her organization's program offices is more of a partnership, “instead of me saying ‘here's the security plan.'” Implicit in this, she adds, is that CISOs need to understand more clearly what is being asked of them and the organization. For example, when business units want to offer their workers the ability to bring their own devices, Titus says it's a matter of drilling down to understand the specific application access it requires and not simply trying to boil the ocean. “It's evolved into risk sharing,” she says. “The CISO no longer owns all the risk for the company. Security officers have become more transparent and pervasive. Where it used to be ‘lock the doors,' now we realize we need to get the message out.”
Now's the time
Why this shift? Why now? As Titus points out, thanks to the myriad reports of corporate cyber threat, insider compromise and information loss, compliance and security are now on the tongue of every board director. “They understand there needs to be a balancing of security and access.” The increased sophistication and the ever-changing face of the threat actors is a factor too, she adds, pointing out that there is still a large human factor in security risks that is better addressed by education, awareness and good practices rather than automation.
With boards of directors and C-suite executives themselves more willing to put security front and center, Qualys' Wild says there's a growing understanding from the top down that preventative controls are not enough and can't guarantee a 100 percent success rate given the nature of today's businesses. “The role of the CISO should be to advise on risk and minimize the risk,” says Wild, “but they can't make the risk level go to zero.” The interconnected and pronounced effect of cloud services and mobility on the corporate environment, he says, has wrought changes that a less forward-thinking CISO simply could not contain.
“It's the changing nature of technology,” says Kolodgy. “There was a time when a lot of organizations did not feel the threats were as great as they are now.”
“The truth is that the businesses are looking for help,” says Lessard. “They know that they may have risk around content and business processes and maybe they haven't had a good experience with information security in the past.” Lessard, who reports to UMG's chief financial officer, says his approach is to work as more of a “resource” for the various music labels – letting them know he is not an auditor or there to “rat them out.” He typically works with managers to understand the potential risks in their workflow and helps them determine how to handle and mitigate those risks. The underlying notion, he says, is that it should be the CISO and the business line executives determining that manageable risk, rather than a lower-level employee conducting a dodgier workaround. Lessard says that within a couple of days of joining Universal Music Group, he had a conversation with his boss about what steps they needed to take to better educate employees about information security. “Getting the employee base to understand the program and how to participate is so important,” he says.
Given the changing shape of the CISO role, it's little surprise that the person needed to step into the CISO's shoes is evolving as well. “There needs to be a balance of technical security background and business acumen,” says Titus. “You have to become a translator.” Indeed, various aspects of the CISO's day-to-day job can include translating the risk landscape to the board of directors, translating security management into habits for employees, and translating each particular organization's or business unit's particular risk appetite into appropriate strategies and best practices.
Although Titus admits that CISO spots are still heavily occupied by technical people, she says the people she is seeing in these roles is evolving. (Aside from spending the past dozen years as a CISO, Titus herself has a résumé that also includes running a diplomatic mission in Africa.) She believes there will be a natural progression as executives with more business and marketing know-how move into these jobs.
While the CISO can no longer be a “technology wonk,” Kolodgy says the security team is as important to an organization's competitiveness as anyone nowadays. “The job of fostering security technologies in a way that reduces risk to the organization is so tied to enabling businesses.” He says that successful CISOs often may start their career in the business world and move into IT. “Some of the most successful CISOs have been professionally cross-pollinated,” he points out. The new CISO is proactive and can present a cogent strategy about likely security threats that may emerge, as well as the ones that already exist, Kolodgy adds. “The role of security is more tied into business activity. It is more about security education within your own organization as an asset,” he says. “We're moving away from the fear, uncertainty and doubt, and need to really understand the business and how to convey risks.”
Wild agrees that there is going to be an “increased requirement for successful CISOs to interact with businesses, yet still be technically savvy.”
Sanjay Beri, founder and CEO of security vendor Netskope, says that even in organizations where the CISO does not have a seat at the table there is a transformation in the role to one of enabling and allowing. He attributes this change, in part, to the emergence of a stronger CISO community “where CISOs can share best practices, and build and forge relationships.”
Meanwhile, Lessard points out that CISOs and would-be CISOs need to understand what does the company requires of its CISO, adding that the more recent and evolving role is not as solidified as the chief financial officer or even the chief information officer posts. Much of the CISO's role is often dependent on who they report to – the CFO or the CIO or another executive – and that can do a lot to color the role. For Lessard, much of his job as CISO is built around sales and education. “Communication skills are huge,” he adds.
Though the role means the CISO may be more front and center for the C-suite and the board, the jury is out on whether this means the role will hold more sway – especially when it comes to budgets. “Budget is a big part of the discussion,” says Lessard.
Once he sells the business on what its risks are and what it should do, it's easy to move forward. “If I have done my job right, the budget is not difficult at that point… it's a matter of what each technology or process is [needed] to mitigate the risk and how much we want to spend to mitigate the risk. It takes the heat out of the conversation.”
However, Kolodgy says he does not see CISOs with a seat at the board room table quite yet. Rather, “CISOs are more often briefing the board.”
The role of CISO, Titus believes, is going to become more recognized. “Hopefully, it gets to the right elevation, but that requires work on the CISO's part too.” Titus advises that CISOs look for mentors outside the traditional security officer arena to help broaden their horizon and foster diversity. “We need to socialize with peers and talk about what's happening,” she says. “It behooves us to get a better understanding of business and look for mentors outside of our vertical.”
Ultimately, Lessard says, though the CISO role may be in flux, it is a job that increasingly can make a huge difference in organizations. For example, UMG tends to manage the information security for the websites of many of its music artists based on its strength managing its own information security. If you've got a business “where security is built into the workflow, it just makes things more efficient,” he contends. “In addition to information security being a business decision, it's an exciting opportunity for information security, when done right, to become a competitive advantage.”