Today's CSO/CISO must effectively communicate to senior leaders about the need for security, reports Fahmida Y. Rashid.When Larry Whiteside came to Spectrum Health seven months ago as the health care nonprofit's first chief information security officer (CISO), he knew leaders within the organization had certain expectations for the newly created role. As the CISO and director of enterprise IT security, risk and compliance, he would be reporting to the chief technology officer (CTO) and managing the company's security strategy.
In the months since, Whiteside has redefined the expectations. Executives were thinking about the technology aspect of security, not realizing that there was more to security than software, equipment and networks, Whiteside says. A security officer needs to focus on people, process and policies, too. He has made it clear that despite reporting to the CTO, he needs to work with other divisions and on focus non-technology areas of the organization as well.
“A good CISO will help the rest of the business understand more about what they need, compared to what they thought they needed,” Whiteside says.
Additionally, the emphasis on what is involved in the security manager's role has changed, says Eddie Schwartz, CISO of RSA, a Bedford, Mass.-based security company. CISOs and CSOs are now expected to focus on protecting what is valuable to the organization, Schwartz says. There is a greater focus on immaterial assets and intruder protection and not as much on compliance.
Nearly 25 percent of security chiefs surveyed in May by IBM in its “CISO Assessment 2012” were shifting from a technology focus to a strategic business leadership role. Security leaders also said they were paying more attention to risk management and spending more of their time on a reduction of potential future risk and less on mitigation of current threats, and management of regulatory and compliance issues, says David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights.
Further, the CISO generally has more access now to the board of directors than in previous years as board members are generally much more security-aware than they used to be, says RSA's Schwartz. The CISO also has to periodically present the organization's security strategy and status to the board, which may not have been as common a few years ago.
The role of the CISO has shifted focus from a technical role to a more “evangelist” role, says Craig Shumard, a principal at Shumard and Associates and a former CISO at Cigna Health. CISOs are nowadays viewed as the primary source of knowledge for information security. They serve as advocates for all things security rather than just being a technical administrator, he says. “Easily 20 to 30 percent of security has nothing to do with technology,” he says.
“Security has not yet made the quantum leap to being understood as a business enabler.”
– Larry Whiteside, CISO, Spectrum Health
Schwartz agrees, adding that the CISO is not someone who provides the security tools, but rather someone who is in the business of protecting information. The CISO also plays a more active role than in years past, reaching out to other parts of the organization. Much of the day-to-day security decisions are handled within the business unit, as “security works best when people feel they are responsible for it,” Schwartz says.
The CISO is a “thought leader,” helping other groups understand risk and playing a role in defining and developing governance requirements, adds Shumard. How the CISO functions within an organization varies by industry, company size and maturity. While some entities have traditionally seen the role as a mix of governance duties and operational responsibilities, others are shifting toward one focused solely on governance, he says.
Until recently, many organizations did not even have a formal CISO role. That didn't mean there was no one looking at security issues, but rather that the responsibilities were dispersed across several people, in a more ad hoc fashion, says Shumard. Formalizing the role and having one person in charge helps provide focus and coordination to the organization, he says.
People responsible for security are “working smarter,” but they are still “vulnerable” to budget pressures, Whiteside says. Despite the focus on non-technical aspects of security, the majority of organizations still rely on technology to accomplish their security goals.
Businesses worry about return on investment and try to justify costs, but that isn't how an organization should evaluate security spending, experts say. The CISO still has to justify the budget, as much as anyone else would for different areas of IT and the company, Schwartz says.
“Security has not yet made the quantum leap to being understood as a business enabler,” Whiteside says. But, he expects that eventually executives will appreciate the value the position can bring to the company's bottom line. “Once the paradigm shifts, once they see we want to be a partner and not an adversary, things will change.”
And, the IBM report backs up his prediction. Two-thirds of security leaders in the survey expect spending on security to rise over the next two years. Of those, almost 90 percent anticipate double-digit growth, and 10 percent expect increases of 50 percent or more.
However, when it comes to a budget discussion, the CSO's role is not about meeting some kind of ROI, but about explaining risks and adjusting expectations, Schumard says.
Where the CSO is positioned in an organization also varies. Some have the CISO report to the CIO, while others put the CISO directly under the CEO, or beneath other C-level executives.
In recent years, organizations have moved away from having the CISO reporting to the CIO, says Shumard. One reason may be a sense of conflict, as the position represents business interests focusing on the bottom line, while the CSO/CISO is more engaged in data protection. Also, compared to the past five or 10 years, security issues have gotten bigger and are more likely to impact more departments. Reporting to the CEO, COO or CTO reflects that security is interacting with almost every individual in the organization, says Shumard.
The numbers appear to back him up. According to a recent survey from analyst firm PricewaterhouseCoopers, when asked to whom they report, 63 percent of CISOs said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO. In fact, it appears the number of CISOs reporting directly to the CIO has dropped, while the number reporting to the CEO, COO and chief privacy officer has soared.
Further, more and more the position of the CISO requires someone who is able to discuss technical and security issues without getting bogged down with jargon. The role requires someone who is well-spoken and able to articulate strategy and security decisions. The CISO has to present the state of security to the board of directors and convey the big picture in a way that those who don't have the knowledge or experience to follow a technical explanation can still understand and consequently make informed decisions based on the information.
The CISO must be able to discuss security in terms of strategy, and define ways to accomplish goals better, cheaper, and faster, Shumard says.
Spectrum Health's Whiteside agrees, adding, “The most technical astute person in the organization is generally not the CISO.”
Success: What it takes
Eddie Schwartz, CISO at RSA, passed along some advice on what it takes for today's CISO/CSO to achieve success for an organization.
Security is not an island: Collaborate with other CISOs/CSOs in the industry to share what they are doing and learning from each other.
Decentralize security: Encourage business units to cultivate employees who can own security within their own department.
Skip the jargon: Discuss security in terms of business and strategy, not technology.
Make it invisible: Work security into business so that it is seamless, not bolted on as an afterthought.
Encourage innovation: Provide support, assistance and sometimes seed capital to encourage innovation among business units on implementing security initiatives.
Understand the business: Have a thorough understanding of what the company does and wants to do. Without it, there's no strategy.
Understand the adversary: Study who the “bad guys” are and where the threats are coming from in order to develop the right framework.
Justify security: Describe security as how it can add value to the company, not as ROI.