The CISO in 2014: Security Strategies for Building Confidence and Trust Amidst Uncertainty

I recently hosted a fascinating panel discussion with three of Europe’s top Chief Information Security Officers (CISOs). I was joined on a live webinar by Norway-based EVRY CISO Kaare Bjørn Martinussen; Paul Hyland, CISO for the Ireland-based Ardagh Group; and Carles Sole Pascual, information security director of Spain’s CaixaBank. This interactive discussion focused on today’s hottest security topics and what was top of mind with these CISOs in 2014. It was interesting for me — and I hope for our audience — to hear their unique insights about the specific challenges and the innovative ways their organizations are approaching today’s evolving threats.

The Changing Role of Today’s CISO

IBM has been doing some interesting work in recent years looking at the evolving role of the chief information security officer. We started that work in early 2012 when we published our “Feeling the Pressure” paper, in which information security leaders shared insights into how they were reinventing the role in the face of accelerating industry change.

We followed this work with our 2012 CISO Assessment, where we looked in detail at more than 130 CISOs from around the world to gain deeper insight into this evolving role. In 2013, we continued this work with a further in-depth assessment interviewing senior security leaders before publishing this latest paper, “A New Standard for Security Leaders.” The report focused on three areas: Business practices, technology maturity and measurement capabilities. Three strong recommendations emerged:

  • Actively build trust at the C-level while broadly communicating an explicit security strategy.
  • Invest in mobile security and advanced technology to directly support the business.
  • Focus on the overall economic impact of risk.

Three Topics That Are Top of Mind for Chief Information Security Officers

With this backdrop, our expert panel discussed a number of key topics: The threat landscape, the role of the CISO, compliance and regulation and investments and priorities for 2014. What really stood out is how fast the landscape is changing, and as I reflect on the discussion, I would posit that there are three main take aways for every CISO:

  1. Organizations are being forced to plan and review far more frequently, from quarterly to monthly. There was far more consistent communication up the chain by the panelists — they don’t just sit in the background. They must, and regularly do, talk to the business; they are “in their face,” as it were. This better engagement with the business leads to budget buy-in and better business alignment. It is important in security discussions to be open but also correct. Accuracy is important; stay factual, otherwise credibility suffers.
  2. From a technology standpoint, there was considerable discussion about the need for improved forensics. However, there is still much work to be done to understand what kind of forensics and data are needed. Now and in the future, what do we need to collect on a daily basis?
  3. One other particularly interesting insight was the move by one of the panelists from a 27001/2 stance towards a PCI mindset. It would be interesting to see whether other organizations are thinking the same way and get deeper into the benefits of such an approach.

These insights fuel the need for further discussion and debate, and I look forward to the next in our series of CISO webinars next quarter. On-demand playback for the webinar is live and can be accessed here.

Insights from the 2013 IBM Chief Information Security Officer Assessment

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read