Over the past few years, there has been an uptick in cybercrime on a mass scale, with hackers gaining access to personal information of millions of people. Breaches at well-known, successful companies such as Target and Home Depot make national news.
In more recent years, healthcare organizations are increasingly becoming the target of cyber-attacks. The threat of information leaking and security vulnerabilities are undeniable, advancing the need for strong leadership to help manage security initiatives and ensure companies are safeguarding valuable customer data.
This is where a chief information security officer (CISO) steps in — to maintain processes across an organization to minimize IT security risks. Below I share my perspective on the evolving role as Surescripts’ security chief and how the position can and must fit into the organization’s overarching leadership framework.
What makes for a successful CISO?
A CISO needs to adapt easily to change. Technology is constantly evolving and a successful CISO understands that. Big data is just one example. And as new technology and trends like big data emerge, we as CISOs need to figure out how they fit into our security landscape.
In the CISO role, always being a student and learning is a must. You can’t just learn a skill once, apply it and be done. There is always a need to refine and adapt. In other fields, you must have certain skill sets and a specific background, but once you acquire those, you are able to apply your experience in a fairly standard manner.
With security, it’s constantly changing, and a CISO needs to be continuously learning and adapting. You always have to account for the privacy impact, address challenges and opportunities – and now, to understand this, CISOs essentially need to become data scientists as well. It’s par for the course.
What are some of the changes in the role of the CISO?
Responsibility and span of control are changing. Traditionally CISOs are responsible for infrastructure, security and focus on technology. Now, CISOs also have to have a deep understanding of how the business operates and its objectives to be successful. How is tech moving beyond simple infrastructure? What is the effect of the cloud? What is the impact of a BYOD culture? All these new trends are expanding the CISO role.
Regulations and compliance also are resulting in new challenges. Today’s CISO needs a different mindset and skillset related to the business, beyond security and technology. For example, how do you determine the value of IT investments? When making risk-based decisions, it is part of the role to be able to show results and demonstrate value. There is a constant need to explore new capabilities. CISOs have a responsibility to identify metrics that tie back into the business. And this introduces another challenge: business alignment.
Business alignment requires CISOs to become core general managers who are well aware of the organization in its totality. There are expectations around this now, so CISOs need to build those relationships within the company and related business competencies.
Traditionally, a CISO is focused on things like anti-virus, malware, and securing firewalls. But if the company is going to apply risk-management methodologies that impact how business decisions are made, those choices must relate back to overall business function.
CISOs also need to ensure their investments are the right ones. Now that we have the budgets, we need a level of trust and transparency. And for most CISOs coming from a science and technology background there always is a need to develop, hone and acquire those additional business skills.
Who is a CISO’s “partner in crime” within the organization? Who are the decision-makers with whom a CISO should align themself?
First, it’s the Chief Information Officer (CIO). A CISO’s relationship with the CIO is a necessary component for success. Even if you’re looking at third-party organizations and their risk, it’s a moral hazard to say you’re no longer focused on IT as a CISO, because then you’d alienate your biggest ally – the CIO.
You must continue to foster and develop your CIO relationship to ensure success. When going to the Chief Financial Officer (CFO) and talking about financial risk, they’ll say, “talk to the CIO,” so it’s critical to make decisions together and jointly educate the CFO on the technology.
While some of the decisions might be purely technology decisions, at the end of the day, it’s the CFO who owns the risk. The CFO is a good partner because, ultimately, that’s where the money trail is. The CFO helps you know how the business is doing and how much opportunity is out there in terms of investment and spend.
Next would be the Chief Operating Officer (COO), where organizational management decisions occur.
CISOs also need to coordinate with various business units and know what else is going on across the organization. Throughout your tenure, continue to build key allies and relationships across the executive management team.
How can CISOs work with partners and customers in terms of security? What are things to look for, avoid or best practices?
First thing, I’ll ask, “Is there a CISO?” And if so, “Where does he/she report?” This is a really telling indicator of the organization’s maturity. If a CISO reports to a VP, it’s more of a title than a position of accountability. The CISO should have a level of control and ability to make decisions and act at the peer level with the CIO.
So start there, and then look at the structure of the company and how viable it is. For example, if you’re looking at a three-person shop, it’s hard to achieve anything when the person responsible for security also has other responsibilities. Nine times out of ten, the last thing they’ll be thinking about is security. They will be focused on tech uptime and business revenue. A lack of a strong CISO might not be the determining factor as to whether we do business with an organization or not, but it might influence contract terms, and how we determine and manage the risk of that relationship.
I have yet to see the perfect alignment in one individual. I tend to model my experience off of various people, but I’m also trying to blaze my own trail. I collectively look at traits of others and put them together. The industry and maturity isn’t there yet, so I look at it in pockets, taking five percent of everything I see and turning it into a perfect whole.
Continue the discussion with a comment below or online on Twitter with @Surescripts or @securitycurrent or directly with Paul @paulcalatayud.