This week I attended the quarterly chapter meeting of the Information Security Forum. As this was a combined meeting between the North American and Canadian chapters, the meeting was an excellent cross section of industry and geographic sectors. The meeting was filled with great conversations on security topics challenging CISOs today.
At one point in the meeting, I paused and surveyed the room noting the different personalities that have risen to the tops of the security food chain within the companies attending. Representing several large, multi-national organizations, the CISOs present discussed many different topics. One significant observation was the business acumen of the people responsible for dealing with an extremely technical discipline, working with a broad contingent across the organization and protecting complex infrastructures against an advanced and determined adversary. No longer is the discussion around DMZs or SQL Injection attacks. The discussion revolved around supporting business initiatives, third parties, engaging the business in controls design, understanding data and all of those good things that should be part of the conversation.
When a CISO can give a presentation with an entire preface on their company's business - and not just the veneer that can be gleaned off the website or looking at their products in the store but the history, the evolution and the innovation that has driven the company's success over the years, it provides an impressive backdrop to discuss any security challenge. I saw this same type of business orientation and appreciation last week at the RSA Archer Summit across many different security, risk and compliance roles.
As I listened to these CISOs, I noted some key personality attributes:
- I imagined how approachable they must be within their own businesses when discussing security issues. CISOs have to have this openness for the business to be comfortable to discuss risk and at times deal with tough choices. Many times these CISOs have come from the business - demonstrating key leadership attributes already in the company - giving them the ability to put themselves in the shoes of the business management.
- CISOs must have passion and an assertiveness to engage and pursue the business. The CISO role is not for the passive and faint of heart and the CISO can't be the "man behind the curtain" pulling on the chains. Building relationships is an absolute part of being a CISO. CISOs many times have the 'protective instinct' of a mother bear and if fellow management understands that, they can depend on the decisions made by the security organization.
- Hard decisions are rampant within the security function. CISOs must have the courage to stick to their guns and make the case to balance security and risk. When it comes to fighting for what is right, CISOs must be able to back up their opinion with the facts and then guide the discussion into a positive direction.
- Finally, the CISO must be trustworthy to ensure the business that the security efforts are working for the best of all and reasonable. There has to be a level of trust before a CISO comes to the business asking, or demanding, a certain earmark budget to protect a business initiative.
The CISO role in an organization is not a technical role and it hasn't been for several years. Building a partnership with the business, and determining the strategy to protect that business, is the fundamental objective of the CISO. The technical skills and expertise within the organization must then flow from there. I have been evangelizing the "business context" need within security for a long time. These conversations at the ISF meeting were further evidence of the need to infuse security operations and technical efforts with an understanding of the business. When a CISO is armed with the operational details of the day-to-day security efforts in terms the business understands, that approachable, passionate, courageous, trustworthy personality can kick in and truly impact the organization.