CISO value proposition
Matthew Hackling
So you are a CIO or perhaps a CRO? Well it's definitely time to hire a Chief Information Security Officer (CISO). Debate still rages as to whether a single position can cover all of the responsibilities for security in a large institution, but the position of CISO is already well established.
Perhaps an outage caused by a security incident reveals a gap in organisational capability that needs to be filled. Or maybe one of those pesky auditors raised a finding requiring you to get one? Whatever the impetus, by now, at the very least, you’re probably tossing up the proposition.
What is the value proposition for a CISO?
1. Board level representation for information security.
Major visible information security incidents don't happen very often, but when they do they cause major disruption, brand damage and financial loss. The CISO acts as an advocate for information security so that this important aspect of an organisation is not overlooked. This can occur because other operational risks are easier to quantify (e.g. lack of a hot pair of data centres) or occur with more frequency (e.g. credit card fraud), while information security risks "drown” in the noise.
2. Holding the CIO to account on information security
The CIO is tasked primarily with delivering timely projects, increasing efficiency and (above all) reducing costs. Some CIOs like to take short cuts, and take on more risk than is prudent. The CISO can influence the CIO and help him realise that security wants to help him get to his objectives as quick as possible, whilst also maintaining management's preferred risk profile.
3. Ultimate responsibility for information security
The CISO owns all the problems that come with information security and actively manages personnel mix, culture and performance. Importantly, he or she is responsible for security incidents and all the challenges that come with them. For example, the CISO may be involved in responding to a major security incident, and then developing strategies to minimise the risk of that type of incident occurring again. Additionally, the CISO will be responsible for closing external or internal audit issues related to information security by shaping the security strategy to address these issues.
It’s important to note that the CISO, not auditors, needs to be in the driver's seat in terms of information security. The CISO should push back on inappropriate audit issues.
The CISO's security strategy should look beyond compliance to establishing a security risk profile appropriate for the organisation and aligned with the risk appetite of senior stakeholders.
4. Securing funding for information security
The CISO needs to act as an advocate for his team and the security strategy with the CFO and all relevant stakeholders in the C-Suite, audit committee etc. The CISO needs to have an "elevator pitch" ready and tailored for each stakeholder and their own outlook, motivations and personal objectives, as well as at least one detailed funding proposal each financial year.
The CISO must establish trust early in their tenure through a quick win or two, and act as a trusted advisor with confidence, integrity and humility. Without someone to put forward the case for information security against other competing priorities, appropriate funding will not be allocated and the security strategy will stall.
What sort of experience and skills does a CISO need to have? You are going to need this to write a decent job description, develop selection criteria and evaluate candidates for the role.
1. Program management experience and track record The CISO will need to be able to manage and drive execution on an information security program. Aspects such as management of budget are key at this level.
2. Project management experience The information security program will be composed of other budgets so the CISO must be familiar with the "building blocks" of project management such as tracking progress on deliverables, tracking dates, recording risks and taking mitigating actions.
3. Security architecture understanding The CISO will have to possess a base understanding of security architecture concepts in infrastructure and applications. This is so he/she will be able to keep a tight rein on the enterprise security architect, one of the CISO's direct reports. Some exposure to SABSA or similar would be beneficial.
4. Enterprise architecture exposure In order to assist the enterprise security architect in melding the security architecture into the organisation's enterprise architecture, the CISO must have a base understanding of the architectural concepts in use. Some exposure to TOGAF or similar could be helpful.
5. IT best practices experience (ITIL etc.) The CISO must understand the core IT processes of change management, release management and so on, so they can help secure them. For example, the security function should have oversight of high risk changes and critical application releases.
6. Security governance understanding An understanding of how to perform security risk assessments and other key security governance activities is essential. This way the CISO can identify gaps in capability to close in their information security program and keep internal audit happy.
7. Security operations understanding Knowing which activities should be under way in a security operations team as part of business as usual operations, is essential. This enables the CISO to fix gaps, improve situational awareness and close immediate exposures.
8. Security incident management and media training The CISO should have managed a security incident before and have had media training so they know not to talk "off message" to press.
9. Professional certification and education You would expect a CISO to hold a professional certification such as CISSP or CISM and have tertiary education in information security ( eg. A bachelors or master’s degree in information security would be ideal, or perhaps a post graduate award.). An MBA or similar would be desirable.
Other attributes key to the success of the CISO:
•The ability to influence executives (including gaining commitment for allocating funds to the information security operational and project budgets).
•The ability to drive change (including performance management of personnel).
•The ability to make hard choices (including terminating grossly non-performing personnel or service providers).
What will you task them with?
What will their first week, first month and first quarter activities look like?
First week
•Meet the people in information security roles •What is the size of the IT security / information security budget. How is it sliced up? Is there a budget? •Are there any ongoing security projects? When was the last refresh of security infrastructure? •Are there any open audit findings for information security to address? •Meet information security stakeholders, CIO, CRO,CFO.
First month
•Read the risk register/s. •Read the existing security strategy. •Read the existing policy, standards, processes and procedures for security governance and operations functions. •Read performance reviews of personnel and have one on one meetings with direct reports. •Read internal and external security assessments undertaken.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
First quarter • Meet one on one with information security stakeholders and establish regular catch-ups. • Develop or tune existing information security strategy. • Develop funding proposal for security strategy. • Perform assessments of any areas that have not been covered. • Launch projects to provide visibility of security risk profile and improve situational awareness if required.