Today's CSO/CISO must effectively communicate to senior leaders about the need for security, reports Fahmida Y. Rashid.When Larry Whiteside came to Spectrum Health seven months ago as the health care nonprofit's first chief information security officer (CISO), he knew leaders within the organization had certain expectations for the newly created role. As the CISO and director of enterprise IT security, risk and compliance, he would be reporting to the chief technology officer (CTO) and managing the company's security strategy.
In the months since, Whiteside has redefined the expectations. Executives were thinking about the technology aspect of security, not realizing that there was more to security than software, equipment and networks, Whiteside says. A security officer needs to focus on people, process and policies, too. He has made it clear that despite reporting to the CTO, he needs to work with other divisions and on focus non-technology areas of the organization as well.
“A good CISO will help the rest of the business understand more about what they need, compared to what they thought they needed,” Whiteside says.
Additionally, the emphasis on what is involved in the security manager's role has changed, says Eddie Schwartz, CISO of RSA, a Bedford, Mass.-based security company. CISOs and CSOs are now expected to focus on protecting what is valuable to the organization, Schwartz says. There is a greater focus on immaterial assets and intruder protection and not as much on compliance.
Nearly 25 percent of security chiefs surveyed in May by IBM in its “CISO Assessment 2012” were shifting from a technology focus to a strategic business leadership role. Security leaders also said they were paying more attention to risk management and spending more of their time on a reduction of potential future risk and less on mitigation of current threats, and management of regulatory and compliance issues, says David Jarvis, author of the report and senior consultant at the IBM Center for Applied Insights.