The role of the CISO is changing -- primarily driven by the executive management team
The role of the modern-day CISO is to provide the leadership and guidance necessary for an organization to manage the digital risks to the:
1. confidentiality, 2. integrity and 3. the availability of
the organization's data, access, intellectual property, and information technology assets.
The CISO's role is evolving from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc.) to a consultative, business process aware and digital risk management professional.
The CISO's role is no longer the standard IT security technology solutions expert, executives require the CISO to become an enterprise risk management professional. This changed requirement demands a more risk-based approach, CISOs must adapt and embrace this and move away from a security controls focused approach to information security. That's not to say that security controls (and the associated tools) aren't necessary, because they are important. The main focus, however, needs to be on risk management. A critical component of implementing a successful risk-based approach is the building of strong relationships with the business units within an organization and approaching the business units in a consultative manner to offer assistance and guidance. Today's CISO's require analysis, consensus, influencing, and strong communication skills.
Visibility and awareness have changed the CISO role over the past two years.
As explained above, the role has changed from a more technical perspective to a risk management perspective. This change is a direct result (driven by the Exec teams) of an increased awareness that preventative security measures and controls will never be 100% effective. The increased media publications in information security breaches have been a tremendous help in raising the awareness, yet analysis of the latest EU statistics show it is not nearly enough. Stay tuned in the next blog for the EU factual analysis on Cyber (policy, risk, and exploits)
One consequence of the increased attention at the board-level to the information security impact to overall risk is that the "CxO" suite is more aware and focused on information security in many organizations. The board level interest requires that mentioned risk-based approach and CISOs are challenged.
What can a CISO do to cope with these changes and challenges?
- get a clear understanding of the RESPONSIBILITY and AUTHORITY, these have to go hand in hand (need to be really balanced), else the CISO becomes accountable without any measure or control to directly influence.
- get a forward-looking vision to manage the DIGITAL RISKS of an organization, understand the digital initiatives, the plans, the preliminary choices (simply think CLOUD, or IoT, or new apps introduced by the business)
- make a plan that describes the interaction and effects of the security ORGANIZATION, PROCESS, TOOLS, and PEOPLE. People remain the weakest link in security designing and thinking, always have, always will be.
- fully understanding the CURRENT RISKS involved in the IT architecture and the information it carries. Use a model of FREQUENCY, PROBABILITY, and IMPACT to QUANTIFIES the return on risk.
- determine the RISK PRIORITIES to close the gap (the COSTS of closing the GAP) between the status quo and where the organization must be in 12 months, 24 months, 36 months from now. Build a ROADMAP of security improvement items, initiatives.
- communicate in an executive team and board language as opposed to using information security and technology terms.
The agileSI™ SAP® security maturity assessment is specifically designed to help CISO's to build that ROADMAP, to use that RISK SCORE FRAMEWORK, be able to express the RETURN ON RISK to executive teams.
Contact us at firstname.lastname@example.org and we will be happy to explain what the SAP SMA can do for you and your organization.