Changing of the Guard: A Perspective on the Changing CISO Role

Monday, March 19, 2012

Rafal Los


Well, I survived the recent RSA Conference 2012, and the gauntlet of meetings, lunches, meet-ups and interviews that is this crazy stretch of trade-show ever year. 

I'm particularly happy as I write this not because I'm encouraged not by everything I've seen on the trade show floor, but primarily from the things happening off the floor.

I've had the pleasure of meeting no less than 12 CISOs in one day that come from various industry verticals, backgrounds, and technical/business expertise - and I'm starting to sense a trend.  It's almost as if a shift is happening right here, right now and I'm standing in the middle of it. 

While the role of the Chief Information Security Officer has been slowly evolving over the past 5 years, this year more than ever I'm hearing a sense of resolve from the CISOs I've talked to.  I've compiled a list of things that have been common in many conversations, and as always you may not agree, your mileage may vary and batteries are not included...

  • Get over it - Security just needs to "get over it" that we're not going to be making key decisions on risk - technical or otherwise.  This isn't our job, and it shouldn't be the role that we play.  The CISOs I've talked to are changing their operating models to become an advisory unit within the business, rather than an operational role within IT.
  • Get it signed off - to go along with #1 above, the smart CISO won't be easily shoved in front of a moving bus.  This means that they're operating in an advisory capacity and when they do advise and are over-ridden they're asking those hoping to accept that risk to "just sign here" to make security go away.  This sounds trivial but it's amazing how many project managers eager to run a CISO's recommendation over suddenly pull a 180 when they're asked to "sign here" to accept that risk.  Hint: almost no one wants to sign that piece of paper.
  • Look beyond the tech - I've said it before and it's awesome to hear you all say it now - today's security issues are by and large no longer a technical issue, meaning, buying more shiny boxes or solutions isn't going to solve your actual problems.  Organizational and cultural change, resource management and time are your enemies now.  The price you pay on the PO is usually only a piece of the overall cost of implementing a security solution ... and if you fail to account for the other pieces it will end badly for you.
  • Reach beyond traditional security - as a recent post I wrote indicated, I strongly believe that security is going to undergo a revolution much like Dev - Ops is going through right now.  I completely and firmly believe that.  Making security a part of every other IT function (groups like your NOC, for example) is critical - and yes it requires a lot of political wrangling and concessions - but that's how real life works.
  • Follow the money - if you ever want to really understand what's important to an individual or organization - look at where they spend their hard-earned budget dollars.  Every project manager and line-of-business owner thinks their project or application is the most important thing in the business, but if you really want to know what's critical look at where the money is spent.  Hint: this is where you should concentrate too...

These 5 things aren't particularly novel.  These 5 things probably aren't anything you've not heard before.  What really is revolutionary and gets me really excited is that they're being widely talked about in open rooms with people listening - not just in back-hallway conversations. 

Security is starting to understand that to impact, and I mean truly impact without the magical pixie dust, the business you have to find ways of addressing its failures and successes.

Security means different things to different people - but by and large we can agree on the need to defend our organizations against those bad guys who wish to do it harm whether it's from a purely destructive perspective or something more sinister. 

Once we've accepted that we agree it's time to put down the ego and forsake the hype and move on to solving some actual problems that you do have, and that you need signed before your next executive report-out.

Best of luck to you!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Budgets Leadership CISO Information Security Infosec Security Solution IT Security DevOps
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.