[BreachExchange] Six Effective Ways CISOs are Changing their Role

Destry Winant destry at riskbasedsecurity.com
Tue Dec 17 09:31:25 EST 2019


In the past few years, we have seen an increase in the growth in cyber
threats. The threats range from simple easy to fix to the sometimes
disastrous. As these threats evolve, we have also seen the evolution
of a formerly overlooked player: The Chief Information Security
Officer, or CISO.

The role of the security leader is becoming more critical, especially
when it comes to managing enterprise risk, deploying security
analytics and protecting Internet of Things (IoT) devices. The CISO
was first brought into the modern business organization to monitor and
analyze potential security risks for the company. Traditionally, CISOs
have come more from the technical side and perhaps did not have to
understand the whole business.

That is changing as their roles in the organizations in which they
work in having lead to them not only need to have the technical
expertise and leadership skills but also understand their company’s
operations and articulate security priorities from a business

Below are six ways in which the role of the CISOs are changing today.

1.   The CISO has taken on the role of “coach”

The acronym CISO has taken on a new definition. The “C” now also
stands for coach. Research by the Ponemon Institute shows CISOs are
shifting into a coaching role. The primary driver of this is a demand
to help business lines shore up their cybersecurity defenses.

Department heads are now seeking the CISO’s counsel regarding the
company’s technology infrastructure. That can be issues like
compliance with the company’s acceptable use policy, cybersecurity
best practices and talking points for department heads to use with
their teams. Some CISOs are being asked to coach executives about GDPR
and data privacy and, as a result, are working closely with the Chief
Privacy Officer (CPO), or adding the CPO designation.

As a coach or mentor, CISOs need to give advice and guidance freely
and strike an optimistic tone.

2.    Embracing organizational leadership

Given the increased reliance on technology as well as new regulations
focused on cybersecurity and data privacy, CISOs that can deliver
clear, actionable, role-based messages have seen their stature rise.
Forward-thinking CISOs are taking advantage of their increased
visibility, leveraging their ascension to leadership to further their

Showcase how the CISO role benefits the organization and helps
progress toward company goals. It’s the secret to securing budget and
resources. Speak the company’s language, be mindful of company
priorities and show how proposals impact what’s vital to the company.

To illustrate, Jeff Lowder, former CISO and CPO (Chief Privacy
Officer), of OpenMarket, a leading mobile messaging company, took
inspiration from his company’s mission statement and its reference to
trust. An ISO 27001 information security program was labeled
“Enterprise Trust Initiative” with a value proposition to “increase
customer trust in OpenMarket by providing services that allow us to
manage information risk to the right level at the right cost.” It made
the program sound more company-centric, which resonated with company

3.    Elevating information security

CISOs are challenged by what to share in the way of findings. Nobody
wants to be an alarmist, then again you don’t want to feel like you’re
rearranging deck chairs on the Titanic.

Forward-thinking CISOs generate reports that offer a top-level view
based on organizational goals and risks with supporting data. These
CISOs know upper management wants to understand not just the threat
level but also risks to assets, the bottom line and reputation.

 Surescripts, the nation’s largest health information network, uses a
technology platform to create a real-time visual report for the
company’s executive leadership. The CISO aggregates and links data
from multiple sources to communicate objectively with reputable
information. Executives access the high-level review and can dive in
deeper where necessary to make data-driven decisions.

4.    Embracing continuous monitoring

More and more, security teams are separating from IT departments and
are becoming a separate business function. CISOs own information
security, but IT owns asset protection. How well do they know the
assets they’re protecting and their configurations? Organizations
typically scan monthly or quarterly. Meanwhile, the risk of a breach
occurs daily.

Forward-thinking CISOs are investing in systems that can continuously
monitor and audit asset security. They are seeing ways to identify
asset misconfigurations, as well as uncover unknown assets,
applications, and other security risks. Periodic assessments are great
for compliance, but for information security in 2019, CISOs need
continuous monitoring. No waiting for scans means less stress.

5.    Prioritizing vulnerabilities

The CISO is ultimately responsible for addressing vulnerabilities to
the network and systems. What’s challenging is determining which
vulnerability to tackle first, second, third and so on.

A developing best practice among CISOs prioritizing vulnerabilities
based on criticality to the organization. For example, Plamen
Martinov, CISO, of The University of Chicago Biological Sciences
Division (BSD), directs a team that uses an asset value ranking system
based on confidentiality, integrity and availability (CIA) to
determine the criticality of the asset. BSD’s platform automatically
performs a priority impact analysis that factors in the CIA score with
each new vulnerability. It’s more efficient and effective.

Streamlined processes that utilize automation can make CISOs and their
staffs more productive. Automation of routine tasks frees up time for
higher-value projects.

6.    Leveraging frameworks

Frameworks like NIST provide controls and guidance that support the
CISO’s efforts to drive information security. Are you leveraging
information security frameworks? Forward-thinking CISOs do, and it’s
helping them excel in complex compliance environments.

Jeff Lowder, OpenMarket's former CISO, adopted all 18 control families
in the NIST SP 800-53r4 framework, plus created a 19th custom control
family. Because it’s all on the same platform and following the
principle of one control complies with many regulations, OpenMarket
maintains compliance with 173 contracts and 254 compliance mandates.
If there’s ever an issue, Lowder can use the platform to gain instant
visibility into any contract or compliance mandate.

The CISO world is complicated enough. A framework provides an advanced
starting point, along with essential guidance and support.

It’s easy to dwell on the negative or fall into the trap of misery
loves company. It’s far harder to envision a future for CISOs that’s
filled with promise and yet, it’s happening. Forward-thinking CISOs in
all industries are paving the way forward by taking on coaching,
embracing organizational leadership, and adopting frameworks in
technology platforms designed for information security management.

As Stephen Hawking said, “Intelligence is the ability to adapt to
change.” If anybody can adapt to change and thrive, it’s smart CISOs.

More information about the BreachExchange mailing list