When Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) talk, people listen, as evinced by the monthly Twitter #infosecChat hosted by IBM Security team on June 17, 2014. The chat was based around key questions business leaders are asking on whether today’s CISO is an influencer, protector or responder. In typical Twitter fashion, the questions came fast and the responses faster — all in 140 characters or less.

1. What is the single most important thing CISOs should be focusing on today?

Three primary threads evolved from the discussion about what is top of mind for the CISO. First was the need to address awareness, brought forward by the CISO of IBM Research Bill Rippon, to which many offered their voices in agreement. The second was the need to focus on the maturity level of the security team and its infrastructure, which was raised by System Architect David Cygan. The last was the need to be able to communicate at both the team level and at the C-level, which served to shine a spotlight on the need for the CISO to be equal parts security and marketing professional. This discussion generated over 20 tweets from a variety of other participants, offering a diverse perspective and demonstrating how the “single most important” list of things that need attention is oftentimes dependent upon one’s perspective and position at that precise moment in time.

#Ciso should be focusing on their Security Maturity Level, and then building their integrated approach to thwart attackers! #InfosecChat — David Cygan (@gwbdmc) June 17, 2014

A1: Risk management without that, you’re just putting out fires in respond mode @ibmsecurity #infosecchat — Diana Kelley (@dianakelley14) June 17, 2014

2. What is the biggest challenge for CISOs today?

A2.Hard to be successful when organisations have an average of 85 tools from 45 vendors. I think I would struggle #infosecchat @IBMSecurity — Martin Borrett (@borretm) June 17, 2014

A2: The biggest challenge for CISOs today is (to quote Donald Rumsfeld) the unknown unknowns that you cant plan for. #infosecchat — Jerry Gamblin (@JGamblin) June 17, 2014

The biggest challenge identified by Jerry Gamblin, self-proclaimed “security geek” for the Missouri State Capitol, as the “unknown unkowns.” Meanwhile, Investec IT Risk Manager Rob Bainbridge noted that the CISO was responsible for articulating the risk profile to the key stakeholders. IBM Engineer Allan R. Tate reiterated the need for the CISO to articulate the business value of security and to ensure that it does not remain a hidden topic. Aliye Ergulen, marketing manager for IBM’s Information Lifecycle Governance Global Solution, highlighted the challenge of keeping up with the “nexus of forces: Mobile, social, cloud, big data and analytics.” Security Research Lead for IBM X-Force Zubair Ashraf put a ribbon around the topic, emphasizing the need for an incident response plan, punctuating the comment with an observation from boxer Mike Tyson: “Everyone has a plan until they get punched in the mouth.”

@IBMSecurity A2: contd… IR Plan – As the famous boxer said, everyone has a plan until they get punched in the face – #infosecCHAT — Zubair Ashraf (@zashraf1337) June 17, 2014

@joshcorman @csoandy @IBMSecurity Q2: What is the biggest challenge for CISOs today? < (1) Prioritizing Risks and (2) Influence. — Ron W (@RonW123) June 17, 2014

3. What sort of experience and skills does a CISO need to have?

@IBMSecurity The old-school CISO that looks at risks from a compliance standpoint is toast in the current threat environment. #infosecchat

— Alex Stamos (@alexstamos) June 17, 2014

A3: Today’s CISO needs a healthy mix of soft skills, hard experience, and in-depth knowledge. Political skills required. #infosecchat — compumech (@compumech) June 17, 2014

A3: Every good CISO needs to have experience watching a room full of toddlers while house breaking a puppy. #infosecchat — Jerry Gamblin (@JGamblin) June 17, 2014

#infosecchat @ThinkBluePR Learn what motivates peers and align your problems to their goals. — Andy Ellis (@csoandy) June 17, 2014

The responses highlight the need for excellent communications skills, both laterally and to company leadership, augmented by a healthy mix of hard experience, an ability to see the big picture and in-depth knowledge of the security domain. Yahoo CISO Alex Stamos added how important it is for CISOs at enterprises with product offerings to deeply understand the product(s). Andy Ellis, CSO for Akamai, underscored the need for the CISO to be willing to learn new skills, paradigms and technologies.

#infosecchat A3: Also, ability to learn (new skills, paradigms, technologies) and teach. — Andy Ellis (@csoandy) June 17, 2014

4. What is the difference between a CISO and a CRO?

The differences between a CISO and a chief risk officer (CRO) were highlighted by a number of participants, with Marin Ivezic, head of Financial Services at IBM Security Services, noting that the CRO engages in risk qualification and governance while the functions of the CISO involve the qualitative aspects of most of the operations and management. There was a consensus that both the CISO and CRO are involved in identifying and mitigating risks, though there is no uniform standard in the industry on the division of roles and responsibilities between the two positions.

A4: CISO main function is to make sure things get done securely. CRO main function is to raise as many red flags as possible. #infosecchat — Jerry Gamblin (@JGamblin) June 17, 2014

CISOs should not be setting the total risk appetite for the entire org, that’s a board level job #infosecchat — Diana Kelley (@dianakelley14) June 17, 2014

A4 #infosecchat But if I saw them, I’d guess the CISO came from IT/networks/engineering and CRO from Internal Audit/Legal. — Andy Ellis (@csoandy) June 17, 2014

5: What is the value proposition for a CISO? Should it be a mandatory role for every organization?

The age-old adage “the proof is in the pudding” seems to be appropriate when describing the role of the CISO in any organization; and if not the CISO, then who? As IBM Product Manager Rick Robinson asserts, infosec responsibilities still exist, regardless of the existence of a CISO. The chief security officer (CSO), chief information officer (CIO) or chief executive officer (CEO) are all viable contenders for addressing the responsibilities one would normally associate with the CISO.

A5: Every organization needs someone ultimately responsible for security. Titles mean little. #Infosecchat — Jerry Gamblin (@JGamblin) June 17, 2014

@IBMSecurity A5. Absolutely! The #CISO role needs a dedicated focus, not just an “add-on” to another role. #infosecchat — Pamela Cobb (@PamCobb_IBM) June 17, 2014

@MarkSilver #infosecchat Great question. reporting into biz side gives nice separation from CIO, but CISO often drives IT solutions too. — Bill Rippon (@dirkbjr) June 17, 2014

6: Should IT security be a business enabler?

The overwhelming consensus from the #infosecChat is that IT security is a business enabler. Gamblin likened the role of IT security to the brakes on a car: They don’t help you go any faster, but they may stop you from wrecking. This resulted in an incredible discussion that’s worth reading here.

A6: ITSec is definitely be a business enabler. Look at how Volvo and Subaru use vehicle safety as a competitive advantage. #infosecchat — Rick Robinson (@rickcipher) June 17, 2014

“@JGamblin: A6: …They dont help you go any faster.. #infosecchat” <- how fast would you go w/out brakes? — Pete Lindstrom (@SpireSec) June 17, 2014

7: Are CISOs influencers, protectors or responders in the enterprise?

Tech industry analyst Alea Fairchild posits that the CISO should wear the hats of both the influencer and protector, and the role of responder should be delegated to members of the CISO team. However, a vocal minority noted that the CISO should be prepared to be a responder as the situation warrants.

#infosecchat I feel that CISOs are more often in the role of protector and responder and not enough weight in certain orgs as influencer — Bill Rippon (@dirkbjr) June 17, 2014

@IBMSecurity A7. #CISOs are both influencers and protectors, pro-actively should not be responders. #infosecchat — Alea Fairchild (@AFairch) June 17, 2014

A7. Influencers, protectors, AND responders. There will be no dull #CISO moment with IoT digital and physical mashed. #infosecchat — AliyeErgulen (@AliyeErgulen) June 17, 2014

@IBMSecurity #infosecchat They should be influencers managing the protectors, but more often then not they’re responders.. — Jason J Wallace (@hoiioh) June 17, 2014

#infosecchat A7. Be in a position to influence the org. Provide right level of protection for the biz. Need to be in a position to respond — Bill Rippon (@dirkbjr) June 17, 2014

A7: None or all of those. Most importantly, they DO practical stuff and are in touch with their business #infosecchat — rob bainbridge (@rob_bainbridge) June 17, 2014

The CISO: Influencer, Protector and Responder

In sum, the #infosecCHAT discussion indicates that the majority of attendees see the role of the CISO as one of business influencer, protector and, at times, responder. The CISO must have a mixed bag of skills, including the ability to fill a seat at the leadership table, articulate the state of information security to the company stakeholders and lead employees in the concepts of security, ensuring that no individual is forgotten. Leadership includes ensuring comprehensive risk analysis to identify gaps, integration of appropriate security tools and analysis capabilities and steering the company toward a more security-aware culture.

@JGamblin thanks Jerry, we really appreciate the contribution. We have a writer working on a recap as we speak. #infosecchat — IBM Security (@IBMSecurity) June 18, 2014

Surprisingly good #infosecchat with @ibmsecurity. Hope we aren’t in our echo chamber only 😉 — Iftach Ian Amit (@iiamit) June 17, 2014

I found the chat interesting as well #infosecchat — Gregory S. Boyle (@2muchwork) June 17, 2014

The Twitter handles for some participants have been provided above, and the following are provided for completeness: Rod Alvarenga, Marcel Santilli, Ajay Dholakia, Holly Nielsen, Viivo, Diana Kelley, Compumech, Brandi Boatner, IBM Smarter Leaders, Mark Silver, Bob Falconi, Pete Lindstrom and Prakash Binwal.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…