The CISO role is more varied and critical than ever before. It is no longer about just managing firewalls or patching systems, but rather a role that entails both technical and business skills.
Information security is no longer a luxury but a necessity today. For a long time, security function was within the purview of the CIO. However, CIOs have so many projects and plans on their plate they let slide their responsibilities to beef up the security of their systems or ensure the integrity the networks and devices they already have in place. Moreover, a CIO may not the technical acumen and expertise to stay on top of the evolving nature of the security landscape.
Though the role of CISO has been around for a couple of decades, many enterprises in the Middle East still don’t have a dedicated executive focused on cybersecurity. But, fallout from recent prominent security breaches and the increasing visibility of information security in general might change that soon.
If you already have a CIO or CTO, why do you need a separate C-suite for security? It is about prioritising both the business and security of information, infrastructure, data, and minimising risks to all of these before a breach occurs.
“Globally, regulators started demanding that companies should have a decided security executive, giving rise to the CISO role. There is a growing realisation among enterprises that information security is not about technology but about managing risks. This shift in perception is resulting into the creation of the CISO function,” says Hariprasad Chede, CISO, National Bank of Fujairah.
Deloitte says that the CISO today must have four ‘faces’; the strategist, the adviser, the guardian (protecting business assets by understanding the threat landscape and maintaining security programmes) and the technologist.
The consultancy firm found that CISOs on average spend 77 percent of their time as ‘technologists’ and ‘guardians’ on technical aspects of their positions, although they would like to reduce this to 35 percent – a sign of the times perhaps.
CISOs are hard to hire because there are far too few business executives with the right mix of business and technical chops. Companies should hire CISOs who strike the right balance of business leader and risk assessor, says Chris Patrick, head of global CIO practice, Egon Zehnder. “You want someone who can architect a comprehensive security architecture and explain it clearly to the board when called to do so. And you want someone who can coordinate communications among the C-suite, general counsel, media relations and other necessary parties to respond to a cyber incident,” says Patrick.
Egon Zhender consultant Kal Bittianda says a CISO must understand issues and know what data is important to protect but they needn’t be the most tech-savvy leader on staff – that is familiar with all of the latest detection analytics and other emerging technologies. Bittianda says it is better to hire a strong executive who has the ability to influence key strategic leaders in the business, and surround him or her with technical whizzes who know what tools to apply and how.
There is a strong demand for security pros who are as much, if not more, skilled in communications, business management, and explaining risk to executives in business terms.
“As more security capabilities are automated, and more risk is transferred to third parties and managed security services, security pros are going to need to be able to broadly define these risks to business leadership and provide the best solutions to meet that risk, help quantify the risks of different IT architectures to management, and provide guidance on the people, tools, and processes necessary to manage that risk,” says Brian Honan, founder, BH Consulting.
While there is no disagreement on what companies should look for in a CISO, there is a little debate about to whom the CISO should report. “The prevailing recommendation is that the CISO absolutely should not report to the CIO. Having the CISO report to the IT organisation is an inappropriate segregation of duties. However, the fact is that between 40 percent and 60 percent of CISOs do report to the CIO or IT executive, depending on industry. And in some industries there is a clear trend toward this reporting structure,” says John Kirkwood, chief information security and strategy officer, Security Innovation.
Meanwhile, Tushar Vartak, director, Information Security, RAK Bank, says it is extremely important to ensure that connection exists between C-level executives and CISOs. “Without this, security can remain a technical only function at large. The business impact of insecure practices may not be conveyed appropriately and is only realised post-incident. It is necessary for CISOs to understand business requirement, identify risks and recommend mitigating controls to ensure probability / impact of a breach is minimised.”
Kirkwood suggests that different oraganisations would require different type of CISOs, and most important one being the Business Information Security Officer (BISO).
“There is a shift today from a traditional CISO role to Business Information Security Officer (BISO). The CISO role primarily focused on technical aspects of perimeter security, data protection and enforcement of good security practices. This role today has changed to a more business centric role. The BISO is required to understand business drivers and be a partner in success of business initiatives. They are required to work closely with business stakeholders, CIO and CTOs to institute a risk-aware-culture and ensure security is embedded in all business initiatives right from the inception stage,” says Vartak.
The BISO specialises in information security issues related to the business, such as how to securely implement customer-facing technologies and how to appropriately protect customer information. A major purpose of the BISO is to ensure that the business unit or division understands that information security is a business requirement like any other. This person also assists in the implementation and translation of enterprise security requirements, policies and procedures.
Additionally, the BISO should perform business security assessments or, at a minimum, coordinate between identified business-related security issues. Ideally, there should be a BISO embedded in every major business unit or division, and he or she should report to business management.