Steven Grossman, Bay Dynamics’ vice president of strategy & enablement, sat down recently with CenturyLink VP & Chief Security Officer David Mahon in a thoughtful discussion about why CISOs are moving from the IT corner into a more operational role, managing the risks that threaten to harm their company’s most valuable data.
This Q&A is part of a Dark Reading interview series with cybersecurity experts by cybersecurity experts.
Decades ago, a new executive-level role emerged in the enterprise – the Chief Information Security Officer (CISO). The original CISO sat in the IT corner, mainly managing firewalls and other fundamental security technologies. Due to the person’s technical expertise, the CISO reported to the Chief Information Officer (CIO), the leading technical expert in the enterprise.
Fast forward twenty years, the CISO has become a more business-centric, board member go-to expert -and no longer reports to the CIO. Today’s CISOs are increasingly reporting to the chief risk officer (CRO) as cybersecurity has transformed into a risk management issue, viewed alongside, if not above, other operational risks to the business.
To get an industry veteran’s point of view on this transformation, I spoke with David Mahon, vice president and chief security officer at CenturyLink. David is responsible for designing and implementing a global security program that includes cybersecurity, critical infrastructure protection, enterprise risk management, physical security, network fraud and abuse, industrial security, international travel security, global threat intelligence, work place violence prevention, executive protection and investigations. In many enterprises, such as CenturyLink, the CRO and CSO roles are interchangeable. Both involve centering their strategic objectives around risk, and both are seeing more CISOs move under their wing.
Steven Grossman: Thank you for taking the time to chat with me, David. Why do you think CISOs should be reporting to CSOs/CROs vs. CIOs?
David Mahon: The main reason is that the CISO profession and industry responsibilities have changed. The CISO profession started in the IT department when cybersecurity was emerging as a core competency. CISOs were mainly called IT security professionals. Over time, as more high profile data breaches came to surface, CISOs increasingly interacted with other C-level executives who were outside of technology such as chief privacy officers and chief legal officers. The cybersecurity ecosystem transformed, going from a primarily technical to a risk management discipline.
Because of that shift, the CIO isn’t the best executive to oversee cybersecurity. The CIO doesn’t have risk management functions, such as Governance, Risk Management and Compliance (GRC), which is a key component of an effective enterprise-wide risk management program.
Steven Grossman: So, in other words, CISOs shouldn’t be making absolute security their goal but instead, effective risk management.
David Mahon: Our role as CSOs, which essentially carries the same responsibilities as CROs, is to enable strategic objectives and risk posture as approved by the board of directors. When a CSO signs off on a project, it’s not about the technology; it’s about what the project will do for the business. CSOs manage all security and risk functions for the company, which oftentimes blend together, to achieve the risk posture established by the board.
Steven Grossman: Based on what we have seen working with our clients, CISOs who report through the CIO to the board often present technical information from a messaging point of view while those reporting through the CSO/CRO present a more balanced, risk-orientated point of view. As CenturyLink’s CSO how do you work with your CISO, who is on your team, and how do you implement a risk-orientated approach to security?
David Mahon: First, you must understand the strategic plan approved by the board of directors. Visit with each business unit to understand how their tactical plans roll up into the larger strategic plan. For example, the CTO may have a strategic roadmap that you know will need cybersecurity engineers on the front end. You can start deploying those resources to support the CTO rather than waiting until the CTO launches a project. You need visibility into what each business unit is doing so that you can enable them to also achieve the overall cyber risk mitigation objectives set by the board.
It’s critical to assess where your most valuable data is located and what is the value associated to the applications and systems that store that data. Identifying where your highly valuable assets live will enable you to risk-rank those assets. What is your most sensitive data down to data that is less sensitive? What are the security controls you have in place to protect your highly valuable data? Are they working properly? Where are the gaps? If business units are outsourcing work, who are they outsourcing it to, and how are those users interacting with your valuable data? Identify the top risks for the company and map those with each business unit’s objectives.
Since many information security programs are designed by technical solution-based thinkers, it’s also better to turn to regulatory standards and frameworks like NIST, ISO or HIPPA as a baseline for your risk management program.
These are just some of the steps; there are many others in-between. The key is to broadly look at the risk posture of the company, map those risks to your (and the board’s) objectives and define how to decrease risk incrementally.
Steven Grossman: It is unfortunate that so many enterprises do not know where their valuable information assets are located. In the physical world, that’s like an operations manager not knowing where his/her company’s critical buildings are located. Understanding where your valuable assets live is central to risk management.
David Mahon: When there are thousands of employees, vendors, contractors and assets, understanding your valuable assets - including where they exist and how people interact with them - and being able to measure your risk along with appropriate response and recovery plans for various potential incidents, is a sign of a mature risk management program.
Steven Grossman: What do you think are the biggest challenges CISOs face if they report to CSOs/CROs vs. CIOs?
David Mahon: One challenge is that CISOs are not adequately prepared to address the questions that a CSO/CRO will ask. CSOs/CROs tend to ask global questions to which CISOs respond with technical answers. CISOs lean on their technical acumen and therefore are challenged to look more broadly at such things as threat intelligence, adversaries, and business objectives.
In the end, CISOs who embrace a risk-based approach to security will have a broader view of their enterprise’s objectives and know how to strategically and tactically use their resources to achieve them. They will get a horizontal view of the enterprise, instead of a swim lane, which will enable them to deliver shareholder value and enhance customer experience.
- How ‘Agile’ Changed Security At Dun & Bradstreet
- Building A Winning Security Team From The Top Down
- Security Leadership & The Art Of Decision Making