Chief Information Security Officer (CISO) is usually the one who takes the blame when there is any problem related to cyber security in a company. Years ago, CISO was perceived as one of IT security administration. For the last few years, it is believed as a high-level risk management position.
As the IT administrator, CISO was used to babysit the firewalls, negotiate with software vendors over antivirus updates, and clean the spyware off of infected laptops. Indeed, that’s still the similar role for some CISO at the moment. However, for the majority CISO, the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable, which is why CISO now a day can be considered as the high end management position. In real world, CISO will form a team Â that handle all those technical tasks and monitor if it runs well or not.
One CISO in health care industry, Eric Cowperthwaite, agreed that security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security are now looking for to be accomplished also. Essentially, the CISO has become a permanent part of the group sitting at the table deciding how the company does business. The CISO leads the security function within the business and that function is now viewed as a necessary function within the business, rather than something to be given lip service to keep the regulators away but otherwise ignored. This is a significant and powerful change in the role of CISO.
The sad thing is, although most CISO and CTO related position think that they deserve the same table along with CEO, CFO, or COO, non technological positions believe that CISO canâ€™t be at the same position with other executives. Based on the survey conducted by Techpro, most non-technical employees still presume that CISO do not bring huge impacts in the company. However, they all agree that CISO brings some changes in the organization, with the collaboration with other parties.
Speaking frankly, the main job today for CISO is mostly about knowing how to prioritize. This boils down to understanding the business’ risks and applying risk mitigation with the right recipe of people, processes and technology. The program portfolio should be a mixture of tried, true, and stable investments, with a touch of cutting-edge technology to reassure that the company is on the right track.
In order to manage everything properly, the savvy CISO must apply business fundamentals like project management (to produce tangible results and manage resources effectively) and cost-benefit analysis (to justify decisions). Decision making should be based on industry research, comparable analysis, and directly engaging all stakeholders. It is important that CISO is able to speak the same language with other executives in order to be able to improve and implement the condition of the organization. Other important thing is that CISO need to understand organizational behavior and good GRC practices to survive the inevitable pressure from the business to accelerate.
It is obvious that CISOâ€™s roles and main job has shifted from year to year. Unfortunately, it looks like that, Â in order to be perceived equal with other executives functions, it would need some more years.