Have you ever noticed how closely your role as the CISO of your organisation resembles that of the Wizard from “The Wizard of Oz?” As the Wizard, you are expected to be all-knowing, all-seeing and all-powerful. Your role is to keep everyone safe from the evils of the world while frantically pulling levers, pressing buttons and turning dials behind the curtain.
Life behind the curtain as a CISO
Like Dorothy, many would be surprised about what just goes on behind that curtain and how complicated a role the CISO is. Of course, everyone in the C-Suite has important work to do. But I believe that the role of the CISO is the most complex and intricate of all roles due to the requirement of candidates having a complex mix of skills which few others can match.
To be truly successful as a CISO, you must be a leader, not merely a manager. A manager tells people what to do, while a leader inspires them to follow. This alone is no easy task. Add to this the need for the CISO to have a strategic view of the world, one which can be translated into tactical and operational steps for keeping the organisation secure. This means having a broad understanding of many disciplines as well as in-depth knowledge and appreciation of business processes and needs.
The Role of CISO – Intersecting People, Process, Technology
The CISO role is complex because it encompasses and impacts all areas of the organisation. Therefore, the role requires both soft and hard skills to be employed. From understanding the business needs and overall strategy to the deployment of technical controls, the CISO has multiple levers and dials to contend with.
A CISO knows that people are not the weakest link; they are our greatest asset. Ensuring there are training and awareness programs in place that engage and educate our people is vitally important if we are to be successful in our role as leaders. An appreciation of human behaviour and the development of soft skills are important in the Board room when developing security programs. Layered on top of this is the need to understand operational aspects; Employee screening programs, inter-departmental movements (including promotions) and changes in the organisation (including mergers and acquisitions) can impact a successful security program.
The CISO must have a good understanding of the threat landscape, which is constantly changing and evolving. In-depth knowledge of risk management processes helps us to understand where we are most vulnerable, allowing us to develop control plans based on international standards such as PCI DSS, ISO 27001, ISO 27017 ISO 27701 and ISO 22301. The CISO also needs to appreciate how these standards help to meet broader compliance-related topics such as the UK Data Protection Act, the EU General Data Protection Regulation (GDPR) and regulatory frameworks such as those dictated by the Financial Conduct Authority (FCA), among others.
Some might believe that the role of a CISO is focused on technology, but technology is merely the ‘vehicle’ that we use to manage our business processes. They are tools that allow us to process and share data to operate as a business. But the CISO often has a complex and complicated technical landscape before them with the expectation that they can protect EVERYTHING! The CISO then must have the knowledge to know what tools are available, where to deploy them and how. This involves developing and deploying policies and technology that govern mobile device management (MDM) as well as using tools that monitor the infrastructure (including SOC/SIEM technologies).
Due to the increasingly complex technical environments in which we operate, the CISO must understand how to evaluate vulnerabilities related to all aspects of the estate including cloud, on-prem and hybrid-based assets and services. Once vulnerabilities are identified, then selecting the correct solution to manage the risks is the CISO’’s next challenge. This must be through a mix of skilled people (either through a SaaS service or by hiring the right people) and technology to defend their kingdom (e.g. DDoS protection).
I have given a broad overview of what I believe the role of a CISO looks like by focusing on People, Process and Technology to illustrate just how broad and varied the role is. From governance, risk and compliance to technical security systems and controls, the CISO has a vast ‘to do’ list. Knowing this, the CISO must select their battles carefully by thinking strategically and acting tactically.
Few roles touch every aspect of the organisation, actively engage with it and need its support. The CISO’s role is often a thankless one—and a role which is often hidden from view. I believe it’s time we removed the curtain and let Oz see what’s behind the curtain.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.