Published on March 8, 2016
As most senior security executives know, the era of locked down static security no longer holds relevance in today’s networked world where increased connectivity and collaboration in the commercial space have superseded the need for tightly controlled security.
This is not to say security is not looked upon with importance, it merely highlights the fact that the CISO’s job has gotten a lot more difficult, a fact exacerbated by mobile devices, Bring Your Own Device (BYOD) to work cultures, and third-party relationships. And there’s always the challenge of communicating security concerns to the rest of C-Suite, particularly, the CEO.
The CISO must find harmony between not impeding business operations while implementing risk informed security strategies that protect the important information assets and accesses of his organization. Taken collectively, the enormity of these tasks summons the image of Sisyphus pushing a large boulder up the hill only to have it roll back before he reaches the summit.
As the cyber threat environment is constantly changing, the CISO must be able to demonstrate adaptability to not only new threats, but also to quickly reprioritize security considerations accordingly. In this context, the CISO is a hybrid; an individual that can think strategically but act operationally given the situation. To be able to step into either role effectively, the CISO’s main asset is adaptability.
As the first quarter of 2016 comes to a close, here are some areas where the CISO can demonstrate value through adaptability, a CISO’s greatest asset for any organization navigating through the internal and external cyber challenges, trying to find balance between security and business:
Get in front of the CEO According to recent reporting, most CISOs report to the Chief Information Officer and not the CEO, a process that must change as it hinders the education of the top decision makers on the risk of data breaches to the organization. Bridging the gap between the two is essential to improving the lines of communication for the CISO to present both security considerations and potentially opportunities that could impact the business in a timely manner. Such discussions can include threats to the organization and the networks, development of contingency planning and breach responses, and periodic reviews of compliance measures.
Be business-focused In today’s environment, the CISO cannot solely be technologically-focused but must expand his aperture to include the entire business as well. Focusing on technologies risks reverting back to static security practices. The CISO must now look at more holistic solutions that include the creation and implementation of security policies, target users to improve their situational awareness of cyber threats as well as their role in protecting the organization from them, devises security planning that is driven by risk management and the identification of key resources, and must be able to communicate and inform the rest of the C-Suite and Board of Directors of the organization’s potential exposure to specific cyber risks. Analyzing threats to the organization’s networks is now just one component the CISO reviews with the objective of protecting the company’s business operations, preserving customer confidence, and ensuring its business brand.
Technology or people first The CISO is involved in everything from policy to new technologies and it can become a lesson in which came first the chicken or the egg? when trying to decide upon implementing technology first or finding the right talent to be able to use the technology.
According to a recent joint survey conducted by Information Systems Audit and Control Association and the RSA Conference, 75 percent of those 461 surveyed were confident in their team’s ability to respond to security incidents, and of them, six in 10 did not believe their own staffs could handle anything beyond a simple incident. Many articles have agreed that there is a limited talent pool of qualified individuals to helm the numerous responsibilities involved in maintaining the cyber security posture of organizations.
The CISO must demonstrate adaptability in not only identifying, recruiting, and maintaining the best persons available, but also ensure that they are trained in their responsibilities and obligations as set forth in the CISO’s strategic plan.
Emerging technologies The CISO must be cognizant of emerging technologies and the role they will ultimately play in the organization. In many instances, such technologies while new may not be the best fit for a company or business. The CISO must demonstrate knowledge of these technologies particularly how they may fit or not fit into the way the organization conducts business.
For example, in addition to focusing on network security, mobile security to include BYOD and wearable devices are becoming more acceptable in the workspace. While the preference of the organization will likely be for employees to use work devices, the reality is that most individuals will use the most convenient IT resource available to get their jobs done.
Today’s CISO is in the unique position of becoming an important conduit between the C-Suite and the operators that keep an organization running. The position is a pivotal spoke in a large wheel having visibility and influence in activities that range from tactical to strategic; that involve personnel as well as technologies; and create policy as well as ensure compliance. In the face of so many challenges, the CISO’s greatest asset is the adaptability to not only juggle so many diverse projects but also help prioritize them in a way that makes the most sense from the business perspective.
This article was originally posted on CSOOnline.com here.