When Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) talk, people listen, as evinced by the monthly Twitter #infosecChat hosted by IBM Security team on June 17, 2014. The chat was based around key questions business leaders are asking on whether today’s CISO is an influencer, protector or responder. In typical Twitter fashion, the questions came fast and the responses faster — all in 140 characters or less.
1. What is the single most important thing CISOs should be focusing on today?
Three primary threads evolved from the discussion about what is top of mind for the CISO. First was the need to address awareness, brought forward by the CISO of IBM Research Bill Rippon, to which many offered their voices in agreement. The second was the need to focus on the maturity level of the security team and its infrastructure, which was raised by System Architect David Cygan. The last was the need to be able to communicate at both the team level and at the C-level, which served to shine a spotlight on the need for the CISO to be equal parts security and marketing professional. This discussion generated over 20 tweets from a variety of other participants, offering a diverse perspective and demonstrating how the “single most important” list of things that need attention is oftentimes dependent upon one’s perspective and position at that precise moment in time.
2. What is the biggest challenge for CISOs today?
The biggest challenge identified by Jerry Gamblin, self-proclaimed “security geek” for the Missouri State Capitol, as the “unknown unkowns.” Meanwhile, Investec IT Risk Manager Rob Bainbridge noted that the CISO was responsible for articulating the risk profile to the key stakeholders. IBM Engineer Allan R. Tate reiterated the need for the CISO to articulate the business value of security and to ensure that it does not remain a hidden topic. Aliye Ergulen, marketing manager for IBM’s Information Lifecycle Governance Global Solution, highlighted the challenge of keeping up with the “nexus of forces: Mobile, social, cloud, big data and analytics.” Security Research Lead for IBM X-Force Zubair Ashraf put a ribbon around the topic, emphasizing the need for an incident response plan, punctuating the comment with an observation from boxer Mike Tyson: “Everyone has a plan until they get punched in the mouth.”
3. What sort of experience and skills does a CISO need to have?
— Alex Stamos (@alexstamos) June 17, 2014
The responses highlight the need for excellent communications skills, both laterally and to company leadership, augmented by a healthy mix of hard experience, an ability to see the big picture and in-depth knowledge of the security domain. Yahoo CISO Alex Stamos added how important it is for CISOs at enterprises with product offerings to deeply understand the product(s). Andy Ellis, CSO for Akamai, underscored the need for the CISO to be willing to learn new skills, paradigms and technologies.
4. What is the difference between a CISO and a CRO?
The differences between a CISO and a chief risk officer (CRO) were highlighted by a number of participants, with Marin Ivezic, head of Financial Services at IBM Security Services, noting that the CRO engages in risk qualification and governance while the functions of the CISO involve the qualitative aspects of most of the operations and management. There was a consensus that both the CISO and CRO are involved in identifying and mitigating risks, though there is no uniform standard in the industry on the division of roles and responsibilities between the two positions.
5: What is the value proposition for a CISO? Should it be a mandatory role for every organization?
The age-old adage “the proof is in the pudding” seems to be appropriate when describing the role of the CISO in any organization; and if not the CISO, then who? As IBM Product Manager Rick Robinson asserts, infosec responsibilities still exist, regardless of the existence of a CISO. The chief security officer (CSO), chief information officer (CIO) or chief executive officer (CEO) are all viable contenders for addressing the responsibilities one would normally associate with the CISO.
6: Should IT security be a business enabler?
The overwhelming consensus from the #infosecChat is that IT security is a business enabler. Gamblin likened the role of IT security to the brakes on a car: They don’t help you go any faster, but they may stop you from wrecking. This resulted in an incredible discussion that’s worth reading here.
7: Are CISOs influencers, protectors or responders in the enterprise?
Tech industry analyst Alea Fairchild posits that the CISO should wear the hats of both the influencer and protector, and the role of responder should be delegated to members of the CISO team. However, a vocal minority noted that the CISO should be prepared to be a responder as the situation warrants.
The CISO: Influencer, Protector and Responder
In sum, the #infosecCHAT discussion indicates that the majority of attendees see the role of the CISO as one of business influencer, protector and, at times, responder. The CISO must have a mixed bag of skills, including the ability to fill a seat at the leadership table, articulate the state of information security to the company stakeholders and lead employees in the concepts of security, ensuring that no individual is forgotten. Leadership includes ensuring comprehensive risk analysis to identify gaps, integration of appropriate security tools and analysis capabilities and steering the company toward a more security-aware culture.
The Twitter handles for some participants have been provided above, and the following are provided for completeness: Rod Alvarenga, Marcel Santilli, Ajay Dholakia, Holly Nielsen, Viivo, Diana Kelley, Compumech, Brandi Boatner, IBM Smarter Leaders, Mark Silver, Bob Falconi, Pete Lindstrom and Prakash Binwal.