The CISO role's keystones: Technology, business and risk
By Dhwani Pandya, Principal Correspondent
28 Jan 2010 | searchSecurity.in
Technology has traditionally been the information security department's stronghold. So identifying risk, creating a short term (as well as long term) security strategy, developing security architecture, ensuring planned implementations, and monitoring the state of security will always remain a CISO's key functions.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
TechTarget cares about your privacy. Read our Privacy Policy
Salvi feels that the business team's sponsorship and engagement are critical to meet a security project's intended goals. Hence the CISO must be able to negotiate the extent to which a technology solution can help. "Even though almost 80% of information security professionals at present come from a technology background, the trend is rapidly changing," says Salvi. As a result, CISOs now have an independent reporting line outside technology in business functions like risk and operations.
CISO and the business
Every CISO needs to remember that business is the main cause behind information security's existence. Just as you require powerful brakes to control a car's performance, you need a strong and robust risk assessment team for the business to move faster. At times, the CISO can be perceived as a hurdle to business innovations or projects. "Instead of being discouraged, the CISO should think of his job as an important value addition to the business process," explains Salvi.
As information security gets increasingly aligned with business, there may be several disagreements. Hence the age old laws of Indian diplomacy, "Saam, Daam, Dand, Bhed", are very relevant for the CISO's role. It's always good to first try and discuss things out between business and technology teams. However, certain things are not negotiable. Exceptions to security policy cannot be frequent in nature. In such cases, there is a need to rethink the policy.
To effectively service business, the CISO must understand business dynamics and nuances. He needs to communicate the value of security investments to management using the business' language. To this end, the CISO can also be called a chief information sales officer.
CISOs should articulate and build security metrics which can give quantifiable results. For example, every CISO should track aspects like the number of virus incidents stopped in a day, or downtime avoided due to security controls. While doing this, CISOs should balance the value of risk and cost of control. If business understands the language of cost, productivity and profit, then the CISO can explain security using that language.
| |||||||||||||||||
Learn to leverage risk
Risk is among a security initiative's critical drivers. So, along with business and technology, the CISO also needs to develop risk as his core expertise. To a large extent, regulation and compliance helps organizations to identify and mitigate risk with specified controls. The CISO needs to ensure that risk and compliance are well aligned; compliance need not be done just for its sake.
Healthy engagement with regulators (auditors) is essential to explain an enterprise's risk management and information security strategy. So the CISO should align risk assessment with the efforts of teams that undertake testing of security controls. An integrated approach to risk will help CIOS properly align compliance enforcement strategy, security controls, and auditor expectations.
Organizations may have to comply with multiple regulations. According to Salvi, the best approach is to take into account the requirements of all regulations, prepare a single framework for the organization, and develop security controls that map these regulations.
While articulating business value, risk should be imbibed in every discussion. Risk assessment and metrics are developed over time. Continuous improvement in this process brings maturity to how the organization perceives risk. Today, there are tools which can automate the entire process of risk assessment — from identification of risk till remediation. So it is very clear that next generation CISOs are expected to act as business and risk leaders, rather than being mere technology heads.