When people I'm just meeting for the first time ask me what I do it normally leads to the follow-up question of just what it is exactly that information security leaders do. The answer is never clear-cut.
If they were to ask me what optometrists do, for instance, I'd be able to say that this pro is all about undertaking whatever examinations or other medical procedures necessary to ensure the longevity and soundness of a patient's eyesight. A police officer? Well, as the old motto goes, they “protect and serve” the people of the communities in which they work.
Sure, I can say CISOs and the like safeguard their organizations' IT infrastructures and the critical data on them. And, yes, they do this. So, for a regular Joe or Jane, while this response is a bit simplistic, it provides them with an understandable gist. Still, this easy reply does little to get to an IT security exec's guiding aims and short- or long-term duties. Even the moniker given these professionals can change from company to company and, with it, the associated job description.
The field of information security and the wider industry still are a bit nascent, really. Of course, they have evolved over time and, indeed, continue to do so. Yet, the sway of the CISO (or whatever title you wish to give this executive), is changeable from vertical market to vertical market, from company to company. This, however, also is changing, according to many practitioners.
Take for example a recent piece, “Should CISO Be Chief Risk Officer (CRO)?," by Eric Chabrow at GovInfoSecurity, which included opinions from various CISOs noting that because IT security is one of the rare departments that touches all parts of the business, those leading it have a growing list of responsibilities, along with a widening and more impactful influence. As well, Brown University's CISO David Sherry was noted as stating last year that the CISO role is evolving as the executive taking responsibility to account for risk across the entire organization and, as a result, requires them to create programs, policies and processes across the board that meet specific IT security goals.
Indeed, in this month's edition of SC Magazine UK, Paul Swarbrick, former CISO for NATS, the UK's national air traffic service, and other CISOs go into some detail on how their roles have changed and will continue to do so at time wears on. To them, the changes involved are definitely being driven by the increased attention being paid to cyber security by the overall public and their bosses alike. Says Mike Loginov, CEO and founder of Ascot Barclay Cyber Security Group and director for learning at the ISSA: “It's an exciting yet daunting time to be a security professional generally regardless of what part of the world one operates from or which industry sector is represented. The message that online and cyber security is a real issue with clear and present danger seems to be slowly getting through…”
Now, whether or not that's happening soon enough is something that Loginov (and many others, no doubt) believes must improve. The mere fact, though, that we're getting there after, say, 20 years or so shows we're certainly on the right track. Most agree, CISOs are at a crossroads now, with some still jobs still requiring a pro to tick a box for compliance and others demanding a leader who can do the job that David Sherry describes. Perhaps in another handful of years, we'll unvaryingly and thankfully see an abundance of the latter.