[BreachExchange] CISO: Is Now The Time To Broaden The Scope Of This Important Role?

Destry Winant destry at riskbasedsecurity.com
Fri Jun 12 10:29:43 EDT 2020


Remember when the world was young and your company's online security
was the responsibility of one or two people sitting in the IT
department? I do, but just barely.

As noted by PrivSec Report, today's role of the chief information
security officer (CISO) has wide-ranging responsibilities for the
security of systems central to an enterprise: "security operations,
cyber risk and cyber intelligence, data loss and fraud prevention,
security architecture, identity and access management, governance" and
much more.

Many companies have found inventive ways to include the role of CISO
within their organizations. Even today, some smaller companies may
include CISO responsibilities as part of an IT executive's job.
However, more typically, it is a full-time role that reports to senior
management, most often to a chief information officer followed by CEO,
COO or, perhaps, the corporate risk officer.

However, as companies around the world have been forced to accelerate
their digital transformations, an additional organizational option to
consider is combining security and IT/enterprise services functions.
We've done this at my company and created a singular Office of the
Chief Information and Security Officer (CI&SO), and it's shown
significant benefits. The heads of our IT and security organizations
report to me, resulting in a level of collaboration and joint
decision-making that has surpassed even my expectations.

With this type of combined organization, security and IT have
comparable seats at the table. No longer does one have to take a back
seat to the other. Even more importantly, security is now everyone's
responsibility, a concept that has become a part of our company

What We Can Learn From Healthcare IT’s Response To COVID-19

All decisions are made jointly, and both provide input into the
programs and initiatives of the other. For example, like many other
companies, at the beginning of the pandemic, we were faced with
ensuring our professionals remained as productive as possible working
remotely. While we were already very prepared given how we run our
business, there was still work to do.

Our folks came together as one team, making it possible for people who
normally did not work remotely to work from home, looking at the
security posture of the equipment fleet throughout our system and
ensuring appropriate security for our people's home environments,
workstations and home Wi-Fi networks. By working together from the
beginning, our IT and security organizations were able to establish
remote working arrangements that allowed our teams to securely
continue their work on behalf of our clients in record time.

When it came to provisioning the equipment, the hardware side was
knowledgeable about and considered the security aspects of the
project, and thanks to their insight into the business requirements
for remote working, the security team was able to provide the required
security and risk sign-off seamlessly.

If you are interested in this kind of dual IT/security CI&SO role,
here are some points to consider:

• A culture of security is critical. The change management component
of driving security education, awareness and knowledge throughout the
organization is central to getting the most from this type of
organizational structure. "Security is everyone's business" can become
ingrained in company culture with the help of active, ongoing
communications and education initiatives on all available platforms.

• An important benefit is shared accountability and knowledge across
security and IT. In a combined IT/security organization, both sides
are accountable for the success of the entire team. Each function
contributes to the other's initiatives, and decisions are made with
input upfront from both IT and security. This doesn't need to be
cumbersome. Aim to meet once a week with adequate time to go through
all projects and issues, which the various responsible groups can then
execute on.

• All parts of the organization are held jointly accountable. IT and
security leaders should be jointly responsible for a comprehensive set
of metrics related to the security and operation of your enterprise.
They should not be working against one another; they should be
responsible for one another's success.

• Processes are shared across the organization. As part of any IT
procurement, conduct a comprehensive security and data privacy
assessment, a single process that stretches across multiple areas. One
process shared across the entire joint CISO organization can boost
efficiency while ensuring nothing is forgotten or neglected. The goal
should be a procurement consensus that's based both on what is best
for the business and what meets security protocols.

• Create a governance risk compliance team. One team with
representatives from across the security/IT organization can ensure a
singular focus on governance, risk and compliance. By short-circuiting
tussles over resources, budget and responsibility, everyone can focus
on the business and security priorities.

Each enterprise will have unique circumstances that may drive
decisions on organizational structure, and while it isn't a
one-size-fits-all solution, combining the IT and security
organizations has worked well for us and positions us well to take on
the challenges introduced in the current environment.

More information about the BreachExchange mailing list