The concept of security has moved quite a while back from being just information technology security or the IT department’s responsibility, to information security; a corporate role in the overall organizational governance. This shift has seen the CISO role’s emergence.
Traditionally, the CISO was an IT guy, more tech than business savvy. Business decision makers normally overrode security commonsense, budgets and used lack of accountability to sign off risks as a shortcut. In the last few years, this attitude has changed due to government regulation imposed penalties and penal provision. This enhanced the CISO role, but only to the level of a compliance officer who did what was necessary to meet legal requirements and obtain the mandatory tick in the box.
Security is beyond simple compliance. Today, it is almost impossible to create a new business process without the use of IT systems and applications. Business agility has become synonymous with the use of technology, and security is a key ingredient in ensuring that this newly adopted technology works with minimum risk.
In addition to conventional security challenges, the CISO faces an increasingly technologically complex and targeted security landscape. These comprise of cyberprotests (such as those generated against businesses which denied fund transfers or hosting to Wikileaks) or cyberattacks on key organizations from across the border. There has also been a rise in insider treats due to recessionary layoffs, targeted rapidly mutating malware, and state sponsored theft of corporate intellectual property. In such a business environment, establishing security policy and getting adequate budget sanctions to secure the business over and beyond compliance requires that a CISO acquires five quintessential skills.
Business acumen: Traditional security frameworks have been increasingly challenged by the innovative adaptation of business processes to gain competitive efficiency or extend market reach. CISOs need to be party to the development of these new business processes—be able to understand business requirements, adapt security policymaking, and control specification to mitigate risks without compromise of business agility. A key requirement of business acumen is the CISO’s ability to convey policy to executives at the Board and C levels in business lingo, not tech speak.
Technology understanding: Technology is unmistakably the key ingredient in business change. Technological innovation around cloud computing and mobile devices is about driving change in internal systems and methods to reach untapped customer segments. These changes externalize internal data flows once protected by the corporate security perimeter. CISOs need to be in tune not just with new technology, but also with surrounding risks and risk mitigation methods. The CISO has to work closely with IT and business teams to create technological alternatives that securely meet business objectives.
Negotiation: In the rush to launch a new business process or service, security is normally ignored or deprioritized if it impacts budget or implementation time. A key skill of the CISO is to enroll early into the business decision process and skillfully negotiate trade offs with business decision makers—appearing as a facilitator rather than a roadblock.
Cost and implementation focus: A significant number of CISOs and the consulting firms they engage have been content to function at the governance level specifying policies, high level controls and processes. This hides the real complexity of detailing specific controls by security naïve business users—resulting in flawed implementation, cumbersome controls and raised operating costs. CISOs should be more hands on to relook at these controls and processes to reduce costs, enhance productivity and work collaboratively with business users. This will help the CISO create effective and efficient controls and processes aligned with business functions.
Customer advocacy: Although organizations invest in securing data and systems, customers are increasingly becoming victims of cyber crimes. A classic example is the banking industry which invests heavily in data protection, but its customers fall victims to phishing attacks—translating into negative customer opinion. CISOs in such industries need to become customer advocates; provide consumer guidance and education on cyber risks, precautions and tools.
About the author: Lucius Lobo is the director for security consulting at Tech Mahindra. A Certified Information Systems Security Professional (CISSP), he has close to 18 years of experience in the communications and security industries. Over the last few years, Lobo has been responsible for providing thought leadership and consultancy in developing security solutions for telecom companies across the globe. Lucius is also an active security blogger at www.luciusonsecurity.blogspot.com.
This was first published in February 2011