The New CISO: How the Role Has Changed
The role of CISO has evolved in the last five years from one of IT security administration to high-level risk management. I recently spoke with Tom King, CISO at Experian, about how his role has changed, why it happened and how having a CISO network can help him do the job effectively.
How do you feel the role of the CISO is changing?
The role is more business-focused and holistic. In the past, there was the perception that CISOs are only responsible for maintaining security and keeping certain processes going, but I think that’s a long-gone responsibility of the CISO. have to be much more conversant in the language of the business, so you can put things like information security threats, information security risk, mitigation and controls in context so that the people who are making decisions about them can understand them a lot more easily. The CISO still has to be technically competent, but comfortable speaking the language of business and not just technology.
How do you evaluate changes to the threat landscape? Where do you get your decision-driving information?
Some threats follow a long-term trajectory; others are very dynamic and constantly changing, and probably the best way to stay current is via networking. It’s an invaluable resource to always have the ability to speak to other peers, peer organizations, etc. who are similarly positioned in the marketplace and get their insight and get the opportunity to have many more eyes on the same problem.
Where would a CISO start in building a network like that?
For every industry vertical, there are several organizations built for information sharing. It would not be difficult for a new industry CISO to find that information-sharing organization, reach out, find some other members, form those relationships and then build up that network. That’s one good thing about the information security discipline: the degree to which we have both formal and informal mechanisms to share information. It wasn’t like this in years past, and as the industry grows, the opportunities for information sharing among peers have grown at the same time.
Have you found that your peers are more willing to share threat information?
Within any industry, there is no competitive advantage to someone else having a problem. We don’t share proprietary methods or any IP, but to the extent that we can, we’re going to share information that will lift up the entire industry and protect us all.
Are C-suites are becoming more aware of cybersecurity issues and are they more willing to invest in them, moving forward?
Very much so. Any responsible executive these days is going to be very much involved in information security/cybersecurity program. They’re taking much more responsibility down at the individual business unit level, and they’re taking much more responsibility for it at the board level as well.
How are you working to inform and educate your stakeholders about risk?
Through constant communication, we are continuing to update our stakeholders about the state of our protection and the efforts to maintain and improve those protections. I speak to the C-suite at least weekly on information security, and there is a standing information security topic at our board meetings. We’re at a point now where information security is such an important issue that nothing short of continuous communication from the C-suite and the information security group is going to be effective.
What messaging are you trying to impart to employees across business functions, and how they can help?
Most importantly, and this may sound cliché, security is everybody’s responsibility. There isn’t anyone in the organization that does not have an opportunity to help their organization maintain security by just doing the right thing.
How can future information security leaders become more business-focused?
They have to immerse themselves in the business. They must find individuals who can mentor and educate them on the way the business is organized and the way the business conducts itself. Don’t just isolate yourself with the technology of security or the process of security – spend time getting out there, meeting business leaders, finding out from them or their deputies exactly how they conduct their business, what’s important to them and what keeps them up at night from a technology risk perspective.
Is this focus changing IT and information security into a business-enabling function?
If your information security program is going to be viewed as an enabler, then you have to take that to heart and go out there to understand the objectives of the business and business leaders and clients so you can align your program to support that. If you can’t do that, you’re just trying to be a champion for technologies that the business will see as obstacles.