Risk Management Grows CISO RoleGoing Beyond a Technical Focus to Strategic Thinking
South says this important annual presentation is a good example of how the role of CISO has evolved to that of a true strategist and risk manager.
Like South, a growing number of CISOs are becoming strategic thinkers, going beyond a technical focus on such issues as implementing stronger antivirus software, building an incident detection program or creating better IT controls.
"You need a CISO today to manage not only the IT risks, but understand and influence the business risks that are imposed on the company by the decisions and strategies it takes," South stresses.
South, who has more than two decades of domestic and international experience as an information security officer, joined Heartland, a payment card processor, after it experienced its well-publicized data breach. Today, he's becoming more involved in driving the strategic direction for managing risk for the company, going far beyond the old-fashioned CISO role of working solely within the IT department to manage and protect data.
"As a CISO, my scope of operation is much larger today," South says. "Everything is connected; there are no discrete risk elements anymore."
New Role for CISOsToday's CISOs are taking on "a role independent of technology, where the focus is on the business - its products, services and opportunities - and the new risks associated with those," says Kenneth Newman, information security officer at Central Pacific Bank in Hawaii. He formerly worked at Washington Mutual, which in 2008 became the biggest bank failure in history. "The focus is now on how do we push those things forward? How do we really measure value, progress and success? How do we really make businesses understand that they have risks?"
South contends that if a company decides to introduce a new product, the CISO should be at the executive table to discuss not only the design, architecture and deployment of the product, but to analyze business as well as IT risks.
The Internet has changed the risk model for many organizations that now enable workers to access information both inside and outside the enterprise. And companies are subject to different laws and regulations globally, depending on where they have their data stored.
"There is no longer the concept of a domestic company because data and privacy issues relate to customers who are internationally located," South says. "So the whole risk model is much more intense and complicated to manage."
CISOs must take an enterprisewide view of risk management, working in collaboration with experts in legal issues, compliance, operations and finance, in addition to IT.
"Years ago, computer and data security evolved into information security," Newman says. "And, now, the next level of security is being called information risk management."
Inertia for Some CISOsBut some CISOs say that despite all these trends, their roles haven't changed much yet.
"Four years ago, I started the security program with a white sheet of paper," says Chris Buse, CISO for the state of Minnesota. "Since then, the program has become more sophisticated, but my role has largely been the same."
Buse says he still finds himself dwelling on what management expectations and needs are with reference to risk management and mitigation. "I still don't know whether the information we produce for senior leaders actually allows them to make actionable decisions," he says.
Too many organizations still place the CISO role several layers below the level of real decision makers, South laments. "CISOs cannot be proactive and protect the total risk package of the company when they rank low in the decision making hierarchy," he says.
New Skills Needed
CISOs need not go through a major data breach or a bank failure to become better risk managers. Key steps they can take include:
- Understanding Business Decisions: "If I understand business and how business decisions are made, I can design a better security strategy," South says. He recommends CISOs spend time with business mentors to fully grasp the finances and politics of an organization. "It finally comes down to how you communicate the risks to management," he says. For example, to gain support for acquiring a dynamic vulnerability analysis tool, a CISO needs to make a clear business case, showcasing how the risk reduction program will improve the organization's ability to securely deliver products.
- Understanding Not All Risks Can Be Avoided: Effective risk managers need to embrace the fact that every environment and every situation is different, Newman says. A standard control requirement may effectively close a gap in one instance, but not work well in another. Not every risk can be avoided or effectively mitigated. "Risk management requires some level of risk to be understood, communicated, and, ultimately, accepted," Newman says.