Gone are the days when being a CISO (or even just ‘the security guy’) was about actual information security or IT security. Even the term IT security is outdated now, as it emphasizes a one-dimensional view of what security is really about. However, I digress… The information security element of CISO is correct, but for a variety of reasons, the CISO’s role is very different from what it was a decade ago. Back then, the role required a strong technologist who understood the firewalls, their rules, the cryptographic controls and even how to code hotfixes on the fly. This isn’t surprising given that the role almost wholly came from an IT background. Back in the day, mere lipservice was paid to the human element, and the legal considerations were considered to be quite simply “someone else’s job.” I was often asked what my job as a CISO entailed, and I used to say “PowerPoint and politics” jokingly; the odd thing though is that this response is not far from the truth at all. My role became significantly less about my understanding of specific niches of information security knowledge and more about putting across to the business what this information security lot was all about and how it helped the business stay competitive, out of trouble or even just in business. The more I did this, the more I became embroiled in the day-to-day machinations of how a business works. The inescapable conclusion I came to was this: even if information security is seen as essential and vital to the business, it is still just one voice of many that are trying to influence, cajole and be heard. Moreover, this is where the politics come in, unfortunately. It is human nature and the way of businesses around the world. Politics is everywhere, and any CISO who doesn’t see and at least understand what is going on is at best going to be ignored, and at worst, eaten alive. Which brings me to my second quote from me (well, it makes attribution a whole lot easier doesn’t it?); what is the purpose of a CISO? “Not to make the company more secure per se, but rather to help it sell more beer/widgets, increase shareholder value (as appropriate), and let the business make risky decisions more easily... through the judicious use of security”. The CISO should not be concerned with the name on the front of the firewall or even what the specifics are of the latest penetration test are. They should be focusing on how best to align their security services to the business and how to ensure security isn’t just a cost centre but a capability that allows teams and the business to run faster, more efficiently and with less risk. That doesn’t take technical knowledge; that takes strategic and business knowledge. If you want to learn more about what skills are needed to be a modern CISO, join Tim Erlin and I for the “Modern Skills for Modern CISOs” webinar, September 10th at 10AM PT. Register here: https://info.tripwire.com/register-Modern-Skills-for-Modern-CISOs
About the Author: Thom Langford established himself as CISO at large global organisations, having founded their security teams and services from the ground up. He is an information security professional, international public speaker and award winning security blogger. Thom contributes to a number of industry blogs and publications. Thom is also the sole founder of Host Unknown, a loose collective of three infosec luminaries combined to make security education and infotainment films. Thom can be found online at both thomlangford.com and @thomlangford on Twitter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
