When it comes to job descriptions, there seems to be no limit to what can be placed in the realm of the Chief Information Security Officer (CISO) role. The role is many times a collection of various responsibilities guided by the loosely defined “protect information assets” charter. Of course there are elements of core security – access control, data protection and warding off the bad guys and the attacks. Compliance duties are often added as regulatory requirements and industry standards are piled on. Finally, some CISOs are even tasked with continuity or disaster recovery roles as well. Last week, I attended the Information Security Forum U.S. Chapter meeting and another role was alluded to during the discussion – that of Investment Advisor.
Now, this role is not the typical Investment Advisor – the CISO isn't expected to sit down and help employees with their stock portfolio nor consult the board on investments in mergers and acquisitions. The role that emerged in the discussion was that of guiding the business to invest in security and risk technologies and practices while balancing the overall portfolio of effort – spending money in the right places to protect the meaningful parts of business. This completely makes sense as the return on investment in security must be calculated using the value of the information being protected.
When you think of an Investment Advisor, one expects certain output from that individual:
- The Investment Advisor must understand the mechanics of the financial world. He/She must have a solid background to discern what is most impactful to the ups and downs of the market and how it affects your finances.
- The Investment Advisor must be able to talk to you in terms you understand. The conversation can’t be laden with technical jargon and accounting mumbo-jumbo. Financial planning has to be described in terms of “retiring at age 65” or “successfully paying for college”.
- The Investment Advisor must provide clear guidance that brings comfort that your long term financial success is on the right track. Much of this will be based on the past performance and your belief that you are moving in the right direction.
CISOs need these same skills:
- The security landscape is ever shifting and the media reports paint a very scary picture for executives. Digital risk is top of mind and the CISO must understand the mechanics of what it means to protect the business. This knowledge must be translated into actionable strategies that the business can weigh, decide and feel confident in the results.
- The CISO must engage with the business to determine the right investments – both tactical efforts and long-term strategies – that make the biggest impacts. Any security investment is going to pull some capital or budget from potential business initiatives. That money has to be well spent and the business has to see a return on that investment.
- Finally, both Investment Advisors and CISOs have a bit of selling to do to get the money moving in the right direction. At times it is hard to see the long term benefit of putting money aside in your retirement fund when that new car (or boat or other big purchase) looks so appealing. A CISO at the ISF meeting stated (paraphrased) “Part of my job is Inside Sales. I have to give the right investment advice to the business.” Looking over the horizon at the emerging threats and positioning the organization to be prepared is a key role of the CISO.
In the movie “The Wolf of Wall Street”, the main character is a fast talking, wheeling and dealing investment advisor that uses many tricks to get people to participate in very shady investments. He uses a combination of fear, promises, pressure and jargon to convince people to hand over their money to his schemes. This is the anti-thesis of what a CISO’s role is when it comes to getting the business to invest in the right security strategies. A CISO that can sit down with the business, discuss the long term goals and objectives and plan out an investment strategy that protects assets in a cost effective manner will succeed in not only meeting the security needs but will become a trusted advisor to the business and an overall positive force for the organization.