The CISO in 2014: Security Strategies for Building Confidence and Trust Amidst Uncertainty

I recently hosted a fascinating panel discussion with three of Europe’s top Chief Information Security Officers (CISOs). I was joined on a live webinar by Norway-based EVRY CISO Kaare Bjørn Martinussen; Paul Hyland, CISO for the Ireland-based Ardagh Group; and Carles Sole Pascual, information security director of Spain’s CaixaBank. This interactive discussion focused on today’s hottest security topics and what was top of mind with these CISOs in 2014. It was interesting for me — and I hope for our audience — to hear their unique insights about the specific challenges and the innovative ways their organizations are approaching today’s evolving threats.

The Changing Role of Today’s CISO

IBM has been doing some interesting work in recent years looking at the evolving role of the chief information security officer. We started that work in early 2012 when we published our “Feeling the Pressure” paper, in which information security leaders shared insights into how they were reinventing the role in the face of accelerating industry change.

We followed this work with our 2012 CISO Assessment, where we looked in detail at more than 130 CISOs from around the world to gain deeper insight into this evolving role. In 2013, we continued this work with a further in-depth assessment interviewing senior security leaders before publishing this latest paper, “A New Standard for Security Leaders.” The report focused on three areas: Business practices, technology maturity and measurement capabilities. Three strong recommendations emerged:

• Actively build trust at the C-level while broadly communicating an explicit security strategy.
• Invest in mobile security and advanced technology to directly support the business.
• Focus on the overall economic impact of risk.

Three Topics That Are Top of Mind for Chief Information Security Officers

With this backdrop, our expert panel discussed a number of key topics: The threat landscape, the role of the CISO, compliance and regulation and investments and priorities for 2014. What really stood out is how fast the landscape is changing, and as I reflect on the discussion, I would posit that there are three main take aways for every CISO:

1. Organizations are being forced to plan and review far more frequently, from quarterly to monthly. There was far more consistent communication up the chain by the panelists — they don’t just sit in the background. They must, and regularly do, talk to the business; they are “in their face,” as it were. This better engagement with the business leads to budget buy-in and better business alignment. It is important in security discussions to be open but also correct. Accuracy is important; stay factual, otherwise credibility suffers.
2. From a technology standpoint, there was considerable discussion about the need for improved forensics. However, there is still much work to be done to understand what kind of forensics and data are needed. Now and in the future, what do we need to collect on a daily basis?
3. One other particularly interesting insight was the move by one of the panelists from a 27001/2 stance towards a PCI mindset. It would be interesting to see whether other organizations are thinking the same way and get deeper into the benefits of such an approach.

These insights fuel the need for further discussion and debate, and I look forward to the next in our series of CISO webinars next quarter. On-demand playback for the webinar is live and can be accessed here.

Insights from the 2013 IBM Chief Information Security Officer Assessment