The role of the chief information security officer (CISO) has gone from being a largely reactive and technical subset of enterprise IT to being proactive and of strategic importance to the business. Rather than having a background in system admin security, the modern CISO is much more likely to come from the business side of things, with an appreciation of intelligent, risk-led security.
Even now, CISO is not a universally recognised title, but the bottom line is that there is always an individual within an organisation responsible for all aspects of security, and they must have a profile that includes strong leadership, an understanding of business and risk management, communications skills and strategic ability.
Today, security is a board-level agenda item, so an organisation naturally needs someone who can talk to the board in the language its members understand. With every passing high-profile security breach, the CISO is pushed further into the front line of protecting brand reputation. According to the Deloitte 2013 TMT Security survey, 65 per cent of CISOs report to the board of directors, while anecdotal evidence suggests investment in IT security has risen from two per cent of spend in 2000 to about 10-12 per cent in 2014.
This sudden rise in the importance of security is directly linked with the number of serious incidents that are reported to have occurred. These take place wherever there are points of weakness. The average number of end-point devices in an organisation has risen exponentially, and every end-point represents a potential weakness. Not necessarily because technology is inherently weak, but because the person, controlling the technology is invariably prone to error. Human error is without a doubt the most common cause of a security breach and employee behaviour is the hardest thing to manage.
In addition to advancements in technology, we have seen certain legislative changes. In the US, companies are bound by law to report security breaches; hence the number of incidents being reported today is higher than it once was. Similar regulations that are about to come into force in Europe will mean firms must air their dirty security laundry in public. We're sure to see another hike in the number of reported breaches once the European regulations are in place.
The upward trajectory of the profile of the modern CISO will accelerate in the coming years. Some studies have suggested there are between 20-30 new strains of malware created everyday. From a cost control point of view, security experts estimate that the cost of fighting hackers is 10 times the cost of being a hacker. With such low overheads, hackers are always one step ahead of the hacked. It is not good enough to have reactive security in place; the modern CISO must have insight into what's coming up on the horizon, and have watertight plans in place for what to do if a breach was to occur.
How an organisation structures its security management can vary fairly widely, but organisational structure can be split into three broad types. One sees the CISO at the head of a centralised system, with heads of operational, IT and physical security, as well as a head of compliance, policies and procedure and security awareness all reporting directly back. A second approach sees those same functions reporting to business unit leads in addition to the CISO. A third way is a hybrid of the two systems, where security is split into operational and strategic functions. This has the benefit of a dedicated security resource that enables proactive planning, but allows technical experts to implement the IT and report to the business.
Once the security resources landscape has been defined, engaging with the board should become the CISO's next concern. Opportunities to speak with and influence the board proactively are few and far between. If you've done your job well, openings to speak with the board reactively should also be infrequent. The Information Security Forum (ISF)'s Framework for Board Engagement describes a cyclical process that starts with understanding the organisation's business and perception of information security, moves onto what to say and how to say it, then how you engage with the board, before ending with how to correctly review security processes.
In an ideal world, the CISO will only ever engage with the board in a proactive way, helping to drive business opportunities. But there could be many other reasons for talking with it, ranging from carrying out organisational reviews of the personal networks that exist or reviewing what competitors are doing about security, to more reactive engagements such as dealing with client questions or concerns, or the worst case scenario of incident or fraud within the organisation.
The final part in the security framework jigsaw is measurement. Measuring the efficacy of security is not as simple as it sounds. Some well-meaning health and safety officers at organisations keep a running tally of the number of days since the last workplace accident. It is an utterly meaningless tally. Just because there haven't been any accidents for a while doesn't mean the place is safe, and the same applies with security. Metrics include incidents, of course, but also levels of virus protection, risk management, patch management and cost. You can have Fort Knox security, but that comes at gold bullion prices; it's here that the business aware CISO comes to the fore.
Ultimately, the modern CISO needs to ask on a continuous basis what the new and emerging trends in security are, as well as business plans and progress. He or she also needs to compare the company against competitors. As a modern CISO, if you can respond with confidence and accuracy to all of these questions, then you will stand out from the crowd.
Hadi Hosn is the security consulting managing principal at Dell SecureWorks