Why and how the job description of CISO is changing

These are some common topics when we talk about CISOs role in an organization

As per my view CISO position is making a comeback, but if not placed right…… it can be just a position in any organization. I believe CISO should directly report to either the CEO or the CRO (highest Risk officer) instead to any other level.

This is a debatable and has been a hot topic to talk and discuss, there is an interesting trend seen in this segment of chief information security officers (CISOs). More and more we see companies beginning to create this role within their organization or increase the power associated with the position.

The goal is to equip CISOs with the ability to enforce change, with responsibilities that range from incident response, to IT compliance, to customer data privacy….

In today’s world privacy and compliance demands are on their shoulders but the big question is do we really understand infosecurity’s value and the lack of quantifiable risk metrics.

The demand for effective risk management is increasing with other factors and that can put the CISO role on the endangered species list and If you want to survive and thrive in this new environment, you’ll have to grasp what the successful CISO brings to the table.

(Read more:  Under the hood of Top 4 BYOD Security Technologies: Pros & Cons)

Here are some tips :-

Shed the Conventional you

In past, career has been mired in IT, systems and networking security. we identify exposure, and deploy solutions. That’s how we provide value. we build the walls and guard the organization.

All of a sudden, it has become a commodity like everything else. All the things we did–have migrated to IT.

Until now, we have highlighted a need and got resource to respond from the management. But that’s not good enough There’s no point in shouting, “There is a Risk,Risk,Risk” when management is “Taking” the budget.

Our Role now goes well beyond mitigating Risk–it’s to enhance shareholder value by protecting your company’s market share, revenue and brand.

To win management support for IT Security, we got to demonstrate how we prioritized, present and priced risk. As each new project has–relocation overseas, online payment, wireless infrastructure–we need to identify, analyze and evaluate the risks, measure the costs of securing the services with real numbers and present viable options.

This information will help our management team to decide how to allocate resources and will prove your value to the company.

Talk to the CFO
Now do you know your value, think about how a CFO defines value. He thinks of the revenue, ROI; he thinks about liquidity. As the CISO, you need to adopt this methodology and look at the relationship between risk exposures and the value of company assets, revenue and liquidity.

( Read more:  BYOD Security: From Defining the Requirements to Choosing a Vendor )

Focus on what’s necessary to your company
Talk to the management, listen to what your CEO is saying. If you’re repeatedly hearing about the importance of protecting market share of the company’s product, Quickly learn if the responsible managers are more interested in reducing the cost of managing risk or mitigating exposure.

Vision the Big picture
As CISO, you’re in a unique position to see and deal with the big picture, and to see the greatest risks.

an example where management says online sales is the most important activity. To you, this should become the lot more important than in less or low critical business of the organization.

if 90 percent of your online customers are located in one geography, the risk is magnified. If all your divisions rely on a shared or managed IT service that’s highly concentrated, your entire business hinges on its security.

You can provide a high-level perspective of the organization’s interdependencies and areas of concentration that other departments don’t have as they don’t have access to all the information or they can’t vision the big picture. They will value your opinion

Talk to the chief risk officer (CRO)

Look at your company’s risk professionals: the CRO, a head of compliance, corporate legal counsel, etc.

The power is with the chief risk officer (CRO). The CRO has authority and a structured way to manage risk. You must meet the CRO and apply proper industry-accepted methodologies.

For instance, if the CRO says, “My priority is increasing premiums and reducing insurance coverage,” this means that the company isn’t paying the increased premium (which translates into greater exposure) and that the company must be more aggressive in its loss control and loss prevention programs. So, when the CRO says to you, “You guys are dealing with IT security problems and you want millions of dollars to solve them. What’s your rationale?” you can make your case based on what it will take to control and reduce those costs based on the data you’ve collected on operational loss.

( Watch more : Top Myths of IPV-6 Security )

Focus your organization
If you’re going to deliver the data, analysis and modeling that your new role requires, you’re not the only one that has to change. Your organization may need to realign departments–and that might require some radical thinking.

Information Security roles and responsibilities that have become main–such as operations, policy creation and enforcement–should be considered for migration and delegation

You may have to relook your organization’s skills to support more analytical thinking and promote a greater awareness of operational risk management. Gauge the level of expertise and what kind of modeling capability the organization has so you can budget for the kind of technically savvy people you’ll need.

Shifting and adding resources is never quick. Plan on phasing in new resources over several years, in accordance with the change demands to disperse the cost.

Drive change
What if your organization doesn’t have a mature risk management culture? The overwhelmed two-person legal staff moves from problem to problem in crisis mode. The risk management group is a one  manager who’s clueless about the broader concept of risk management. 

If you’re going to make a difference as a CISO in this environment, you have a day job and a night job.

The night job is strategic: getting this community of disjointed disciplines, roles and expertise to work together in small ways.

The day job is to prioritize what’s most important to the business and apply the appropriate security. Choose what generates the most revenue, or what the company has on its radar for the next five years. You need to secure that piece of the corporate world, working through the risk management model and working closely with the appropriate stakeholders .

( More: Join the community of 1400+ Chief Information Security Officers.  Click here)

Be nimble. Step into this new role while keeping a foot in the old. Delegate the technical responsibilities–infrastructure support, network support–while still providing guidance and oversight. Develop a strategy for an overall architecture. You may not be able to execute yet, but know where you want to go.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)