The Evolving CISO Policy Role
As hacking attacks escalate, demanding media attention and costing businesses hundreds of millions of dollars, organizations are fighting back. Above all, they are learning to treat information security not just as a technical problem, but an ongoing challenge that extends across the enterprise.
Chief information security officers (CISOs) are emerging as the crucial players in the evolving understanding of security. Indeed, when the history of information security in the 21st century is written, the current era may well be recorded as the decade of the CISO.
The CISO and Growing External Threats
The changing role of information security in the enterprise is being driven by business leaders’ recognition of a rapidly evolving threat.
For the past three years, IBM has published its annual Chief Information Security Officer Assessment, which tracks CISOs’ perceptions of threats and how their organizations are responding. The most recent survey shows how external threats (hacking attacks) have pulled away and taken the lead from other security concerns.
The most recent high-profile attack on Sony Pictures Entertainment exemplifies the scope of this external threat. Risks are not confined to the most obvious potential victims, such as retailers, who must protect millions of customer account records. Any and all intellectual property is at risk of being compromised. The attackers may be motivated by financial gain, including extortion by threat of data destruction. Their motives can also extend to political causes or be sponsored by state intelligence agencies.
Security as a Policy Issue
Such ruthless and sophisticated attackers pose an existential threat to the enterprise. In response, as Brian Engle and Renee Guttman report at CSO Online, CISOs are being asked to provide technical knowledge and policy guidance. According to the National Association for Corporate Directors, “Cybersecurity is an enterprise-wide risk management issue, not just an IT issue.”
Engle and Guttman identify three key issues that enterprise leaders should consider in their security planning. They need to consider CISO access to top decision-makers and the overall governance of the security policy. They must also focus on training the next generation of security leaders, with emphasis on engaging board members and other key stakeholders.
Finally, while security breaches are driving headlines, enterprises cannot let headlines drive their security policies. Security must be proactive, not reactive to the most recent crisis.
Information security threats will continue to evolve, and the role of the CISO will evolve along with them. By bringing the CISO into the strategic discussion, enterprise leaders can keep their security framework pointing forward.