When Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) talk, people listen, as evinced by the monthly Twitter #infosecChat hosted by IBM Security team on June 17, 2014. The chat was based around key questions business leaders are asking on whether today’s CISO is an influencer, protector or responder. In typical Twitter fashion, the questions came fast and the responses faster — all in 140 characters or less.
1. What is the single most important thing CISOs should be focusing on today?
Three primary threads evolved from the discussion about what is top of mind for the CISO. First was the need to address awareness, brought forward by the CISO of IBM Research Bill Rippon, to which many offered their voices in agreement. The second was the need to focus on the maturity level of the security team and its infrastructure, which was raised by System Architect David Cygan. The last was the need to be able to communicate at both the team level and at the C-level, which served to shine a spotlight on the need for the CISO to be equal parts security and marketing professional. This discussion generated over 20 tweets from a variety of other participants, offering a diverse perspective and demonstrating how the “single most important” list of things that need attention is oftentimes dependent upon one’s perspective and position at that precise moment in time.
#Ciso should be focusing on their Security Maturity Level, and then building their integrated approach to thwart attackers! #InfosecChat
— David Cygan (@gwbdmc) June 17, 2014
A1: Risk management without that, you’re just putting out fires in respond mode @ibmsecurity #infosecchat
— Diana Kelley (@dianakelley14) June 17, 2014
2. What is the biggest challenge for CISOs today?
A2.Hard to be successful when organisations have an average of 85 tools from 45 vendors. I think I would struggle #infosecchat @IBMSecurity
— Martin Borrett (@borretm) June 17, 2014
A2: The biggest challenge for CISOs today is (to quote Donald Rumsfeld) the unknown unknowns that you cant plan for. #infosecchat
— Jerry Gamblin (@JGamblin) June 17, 2014
The biggest challenge identified by Jerry Gamblin, self-proclaimed “security geek” for the Missouri State Capitol, as the “unknown unkowns.” Meanwhile, Investec IT Risk Manager Rob Bainbridge noted that the CISO was responsible for articulating the risk profile to the key stakeholders. IBM Engineer Allan R. Tate reiterated the need for the CISO to articulate the business value of security and to ensure that it does not remain a hidden topic. Aliye Ergulen, marketing manager for IBM’s Information Lifecycle Governance Global Solution, highlighted the challenge of keeping up with the “nexus of forces: Mobile, social, cloud, big data and analytics.” Security Research Lead for IBM X-Force Zubair Ashraf put a ribbon around the topic, emphasizing the need for an incident response plan, punctuating the comment with an observation from boxer Mike Tyson: “Everyone has a plan until they get punched in the mouth.”
@IBMSecurity A2: contd… IR Plan – As the famous boxer said, everyone has a plan until they get punched in the face – #infosecCHAT
— Zubair Ashraf (@zashraf1337) June 17, 2014
@joshcorman @csoandy @IBMSecurity Q2: What is the biggest challenge for CISOs today? < (1) Prioritizing Risks and (2) Influence.
— Ron W (@RonW123) June 17, 2014
3. What sort of experience and skills does a CISO need to have?
@IBMSecurity The old-school CISO that looks at risks from a compliance standpoint is toast in the current threat environment. #infosecchat
— Alex Stamos (@alexstamos) June 17, 2014
A3: Today’s CISO needs a healthy mix of soft skills, hard experience, and in-depth knowledge. Political skills required. #infosecchat
— compumech (@compumech) June 17, 2014
A3: Every good CISO needs to have experience watching a room full of toddlers while house breaking a puppy. #infosecchat
— Jerry Gamblin (@JGamblin) June 17, 2014
#infosecchat @ThinkBluePR Learn what motivates peers and align your problems to their goals.
— Andy Ellis (@csoandy) June 17, 2014
The responses highlight the need for excellent communications skills, both laterally and to company leadership, augmented by a healthy mix of hard experience, an ability to see the big picture and in-depth knowledge of the security domain. Yahoo CISO Alex Stamos added how important it is for CISOs at enterprises with product offerings to deeply understand the product(s). Andy Ellis, CSO for Akamai, underscored the need for the CISO to be willing to learn new skills, paradigms and technologies.
#infosecchat A3: Also, ability to learn (new skills, paradigms, technologies) and teach.
— Andy Ellis (@csoandy) June 17, 2014
4. What is the difference between a CISO and a CRO?
The differences between a CISO and a chief risk officer (CRO) were highlighted by a number of participants, with Marin Ivezic, head of Financial Services at IBM Security Services, noting that the CRO engages in risk qualification and governance while the functions of the CISO involve the qualitative aspects of most of the operations and management. There was a consensus that both the CISO and CRO are involved in identifying and mitigating risks, though there is no uniform standard in the industry on the division of roles and responsibilities between the two positions.
A4: CISO main function is to make sure things get done securely. CRO main function is to raise as many red flags as possible. #infosecchat
— Jerry Gamblin (@JGamblin) June 17, 2014
CISOs should not be setting the total risk appetite for the entire org, that’s a board level job #infosecchat
— Diana Kelley (@dianakelley14) June 17, 2014
A4 #infosecchat But if I saw them, I’d guess the CISO came from IT/networks/engineering and CRO from Internal Audit/Legal.
— Andy Ellis (@csoandy) June 17, 2014
5: What is the value proposition for a CISO? Should it be a mandatory role for every organization?
The age-old adage “the proof is in the pudding” seems to be appropriate when describing the role of the CISO in any organization; and if not the CISO, then who? As IBM Product Manager Rick Robinson asserts, infosec responsibilities still exist, regardless of the existence of a CISO. The chief security officer (CSO), chief information officer (CIO) or chief executive officer (CEO) are all viable contenders for addressing the responsibilities one would normally associate with the CISO.
A5: Every organization needs someone ultimately responsible for security. Titles mean little. #Infosecchat
— Jerry Gamblin (@JGamblin) June 17, 2014
@IBMSecurity A5. Absolutely! The #CISO role needs a dedicated focus, not just an “add-on” to another role. #infosecchat
— Pamela Cobb (@PamCobb_IBM) June 17, 2014
@MarkSilver #infosecchat Great question. reporting into biz side gives nice separation from CIO, but CISO often drives IT solutions too.
— Bill Rippon (@dirkbjr) June 17, 2014
6: Should IT security be a business enabler?
The overwhelming consensus from the #infosecChat is that IT security is a business enabler. Gamblin likened the role of IT security to the brakes on a car: They don’t help you go any faster, but they may stop you from wrecking. This resulted in an incredible discussion that’s worth reading here.
A6: ITSec is definitely be a business enabler. Look at how Volvo and Subaru use vehicle safety as a competitive advantage. #infosecchat
— Rick Robinson (@rickcipher) June 17, 2014
“@JGamblin: A6: …They dont help you go any faster.. #infosecchat” <- how fast would you go w/out brakes?
— Pete Lindstrom (@SpireSec) June 17, 2014
7: Are CISOs influencers, protectors or responders in the enterprise?
Tech industry analyst Alea Fairchild posits that the CISO should wear the hats of both the influencer and protector, and the role of responder should be delegated to members of the CISO team. However, a vocal minority noted that the CISO should be prepared to be a responder as the situation warrants.
#infosecchat I feel that CISOs are more often in the role of protector and responder and not enough weight in certain orgs as influencer
— Bill Rippon (@dirkbjr) June 17, 2014
@IBMSecurity A7. #CISOs are both influencers and protectors, pro-actively should not be responders. #infosecchat
— Alea Fairchild (@AFairch) June 17, 2014
A7. Influencers, protectors, AND responders. There will be no dull #CISO moment with IoT digital and physical mashed. #infosecchat
— AliyeErgulen (@AliyeErgulen) June 17, 2014
@IBMSecurity #infosecchat They should be influencers managing the protectors, but more often then not they’re responders..
— Jason J Wallace (@hoiioh) June 17, 2014
#infosecchat A7. Be in a position to influence the org. Provide right level of protection for the biz. Need to be in a position to respond
— Bill Rippon (@dirkbjr) June 17, 2014
A7: None or all of those. Most importantly, they DO practical stuff and are in touch with their business #infosecchat
— rob bainbridge (@rob_bainbridge) June 17, 2014
The CISO: Influencer, Protector and Responder
In sum, the #infosecCHAT discussion indicates that the majority of attendees see the role of the CISO as one of business influencer, protector and, at times, responder. The CISO must have a mixed bag of skills, including the ability to fill a seat at the leadership table, articulate the state of information security to the company stakeholders and lead employees in the concepts of security, ensuring that no individual is forgotten. Leadership includes ensuring comprehensive risk analysis to identify gaps, integration of appropriate security tools and analysis capabilities and steering the company toward a more security-aware culture.
@JGamblin thanks Jerry, we really appreciate the contribution. We have a writer working on a recap as we speak. #infosecchat
— IBM Security (@IBMSecurity) June 18, 2014
Surprisingly good #infosecchat with @ibmsecurity. Hope we aren’t in our echo chamber only 😉
— Iftach Ian Amit (@iiamit) June 17, 2014
I found the chat interesting as well #infosecchat
— Gregory S. Boyle (@2muchwork) June 17, 2014
The Twitter handles for some participants have been provided above, and the following are provided for completeness: Rod Alvarenga, Marcel Santilli, Ajay Dholakia, Holly Nielsen, Viivo, Diana Kelley, Compumech, Brandi Boatner, IBM Smarter Leaders, Mark Silver, Bob Falconi, Pete Lindstrom and Prakash Binwal.