Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/16/2019
10:30 AM
Terry Ray
Terry Ray
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Is 2019 the Year of the CISO?

The case for bringing the CISO to the C-suite's risk and business-strategy table.

PwC reported that 81% of investors and analysts responding to its 2018 Global Investor Survey ranked cybersecurity among the top three threats to business; more than half of those said that cybersecurity was the No. 1 biggest threat to business. The natural upshot should be that the CISO is more important to business strategy — but in many cases, that's an uphill climb.

The traditional view of the CISO is that of a specialized mini-CIO — existing to achieve compliance, put out security fires, and stand in as a scapegoat for when something inevitably goes wrong so the CIO doesn't have to take the heat. A case in point: Target had no CISO when it suffered its infamous point-of-sale mega breach in 2013; consequently, it was Target's then CIO who was compelled to resign shortly thereafter. Only then did Target create and fill a CISO position, answering to the new CIO.

Across both the private sector and the public sector, the plurality of CISOs report to the CIO. A subset of enterprise organizations, however, are increasingly realizing that this is a suboptimal approach.

For starters, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that "security" is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have "security" in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures.

Over the past few years, Congressional staffers, federal, and state regulatory bodies, and industry collaboratives alike have made these same observations — specifically dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. Lately, these recommendations and requirements have begun to take hold. A May 2018 industry report from Dark Reading about the role of CISOs notes that the CISOs have at least a "dotted reporting structure" — if not a direct one — to boards and/or CEOs. And this reporting structure is crucial when it comes not only for mitigating liability and compliance risks (i.e., so that, after an inevitable data breach, the company can show regulators that its board of directors and CEO met with the CISO on cybersecurity issues x number of times every year), but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place.

The whole concept of a CIO indicates that that person has full control of the company's infrastructure and IT decisions. A CISO would typically be a part of that, but that's not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn't mean that the CISO should report to the CIO — just like the general counsel shouldn't report to the executive vice president of sales just because the legal department has to work extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.

This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary (if not only) go-to-market platform. In this environment, the CISO's job must be one to step to the forefront and evangelize the following bullet points:

  • "We are under attack." There are constant attempted cyberattacks — usually automated — every single day against every major enterprise.
  • "Our attackers will succeed, eventually." Everybody's being breached. We, too, will be breached someday (assuming we haven't been breached already). We must be prepared with the knowledge and tools to minimize and respond both during and after a breach.
  • "Cybersecurity is a business issue — not a tech issue." How we manage our cyber presence and secure our data drastically affects our ability to do business — from an accessibility standpoint, from a brand-trust standpoint, and from a regulatory compliance standpoint.

All of these bullet points combined make for a grander and more important message, which is one that investors already know: "Cybersecurity is about extreme monetary risk."

And there you have it. CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT, rather than the other way around. The CISO job therefore needs to just be part of the organization's risk hierarchy instead of the IT department. The CISO is, first and foremost, a risk manager — a digitally present risk manager, but a risk manager nonetheless.

Let the CISO answer accordingly.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Terry Ray has global responsibility for Imperva's technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3667
PUBLISHED: 2019-12-11
DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check 3.0.0.17 and earlier allows local users to execute arbitrary code via the local folder placed there by an attacker.
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.