CISO's Challenge: Security & Risk

Security Leaders Take on Dual Responsibilities

By , October 23, 2012.
CISO's Challenge: Security & Risk
Read Transcript

CISOs increasingly are asked to manage both information security and risk. What new skills and tools do they need to juggle the dual role? David Sherry, CISO of Brown University, shares his views.

Why the combined role for CISOs? Sherry explains:

"Enterprises are recognizing the need to have somebody responsible for privacy and compliance issues, but resources are tight," Sherry says. "As security has proven itself and become more of a strategic player in the success of an enterprise, utilizing the security role and its proven success in risk management has been seen as an emerging trend."

In response to this trend, Wisegate, a private association of senior IT leaders, commissioned a study titled CISOs Share Advice on Managing Both Information Security & Risk. Among the key findings: While organizations increasingly combine security and risk management roles, the trend creates some natural tension.

"Risk involves the balancing of risks and available resources, while security must focus on securing [all] the information," says Sherry, a member of Wisegate. "There's also some tension between risk and the legal requirements that mandate some of [the risks] to be acted upon whether the organization wishes to do so or not."

But working through these tensions is to the benefit of organizations and leaders alike, Sherry says.

"It wasn't that long ago we were seeking relevance as a discipline," he says. "Now we're being considered for an expanded role."

In an interview about the CISO's evolving role, Sherry discusses:

  • The challenges of managing both information security and risk;
  • Essential skills and tools for the evolving CISO;
  • Advice for tomorrow's security and risk leaders.

Sherry is the chief information security 0fficer at Brown University, with university-wide responsibility and authority regarding matters of information security and privacy. He leads the university's information security group, which develops and maintains Brown's information technology security strategy; IT policies and best practices; and security training and awareness programs. the group also conducts ongoing risk assessment and compliance tasks. As the university spokesman for both information security and privacy, Sherry also plays a key role in the records management program, regulatory compliance and copyright law. He came to Brown in 2008 with more than 20 years of experience in information technology. He most recently worked at Citizens Bank, where he was vice president for enterprise identity and access management.

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Report: Flaw Affects 12 Million Routers

At least 12 million home and small-office routers from 50 manufacturers have a flaw that an...

Latest Tweets and Mentions

ARTICLE Report: Flaw Affects 12 Million Routers

At least 12 million home and small-office routers from 50 manufacturers have a flaw that an...

The ISMG Network