CISO role ranges from beat cop to boardroom

By Adam Best, Social Media Manager, Code42

Every executive role has changed in the past decade or so, but none more than the chief information security officer. Ten years ago, if you asked someone to describe his CISO, he’d probably answer, “You mean my CIO?”

Out of the server room

In a globally-connected economy, data security is arguably more important than physical security; if someone wants to profit from corporate crime or espionage, they go for the data. The fact that the most lucrative crime is electronic has elevated and expanded the role of CISO.

So who is the modern CISO?

On patrol: He or she is a beat cop; making her presence known internally to raise visibility of the importance of security. Like law enforcement in general, the more time spent in a prevention role, the easier other parts of the job are.

Before her current beat, she worked border security: “CISOs used to be 99% concerned with making the firewall impenetrable,” recalls Greg Mancusi-Ungaro, BrandProtect CMO. But that changed with recognition that protecting the perimeter is not enough. Breach can happen wherever computers wander and from inside the organization too. Which leads to….

Threat assessment: Like a military intelligence officer briefing a unit commander, the CISO informs other executives about possible or probable threats, their severity and the resources and actions required to protect against and mitigate each.

She may not play a direct role in the practical implementation of the threat response plan, and she might even be dealing with technology or services not subject to her approval. But she’s ultimately responsible for the plan’s success or failure. However, as the old military adage goes, no plan survives first contact with the enemy. There will be data loss. Time to switch to….

Forensic investigator: When the inevitable breach happens, she’s the medical examiner at the scene of the crime, piecing together what happened, when and how. A chain of evidence must be created. What data was taken? From what source? Where did the data originate, and when was it changed or moved? What methods were used in all of the above? But that’s not all.

Lead detective: The CISO guides the investigation following breach: Where is that data now? Can it be recovered? Were there internal or external bad actors (or both)? Can damage to the company from this incident be prevented or at least mitigated to some extent? Can it be prevented from happening again? How?

Just like a detective assigned to a case, the CISO answers to stakeholders from above and below her pay grade. She helps the company PR team understand what to tell customers and respond to news media inquiries. She informs Legal if missing data is subject to government oversight or regulation and whether the company must disclose the breach. She apprises the CFO who wants to know how much it cost, and when will it be over.

The CISO is the decision and communications hub for some of the most critical incidents the organization will face. “They must be a full partner of HR, Legal and Marketing,” says Mancusi-Ungaro.

A little bit grad student; a little bit Pythia

After the incident, what do you have? A brand new threat to assess for your security posture. Learning from the breach and remembering its lessons is critical, but if he stops there, the CISO might be “fighting the last war” during the next data threat. So like the Oracle of Delphi, he must predict the next challenge, drawing from his experiences while also staying up to date on InfoSec best practices.

Isn’t it ironic?

For a role so concerned with privacy, there is little that is private about the CISO’s work. Besides InfoSec professionals, the general public and news media are now acutely aware of the importance of data security.

Bill Hargenrader, cybersecurity manager and senior lead technologist at Booz Allen Hamilton, a Fortune 500 technology and strategy consulting firm, says “As the general public hears more about hacking, privileged access violations, and data breaches, there is growing pressure to mitigate the dangers that are present. That’s not to say these types of activities weren’t happening before; as our tools for detection get better, and as the media is quick to pounce on these breaches (for good reason), there is a greater shift towards cybersecurity to address the risk profile for an organization.”

Which adds another interesting coda to the CISO’s role: public affairs officer. Hargenrader’s words of wisdom: “If InfoSec leaders can’t properly communicate the risk to non-cybersecurity versed organizational leadership, then they are at a disadvantage.”