The title “Chief Information Security Officer” (CISO) is viewed in various ways by different people and different organizations. In some organizations, the CISO carries a purely policy-focused role. Others, the CISO role can overlap or even envelop IT and business operations. The role answers to different levels in different organizations, often being strictly associated with IT. Yet, there are some organizations that place the CISO role on par with a CIO or CEO.
Regardless, the CISO carries with it a lot of responsibility. And while Wikipedia’s definition of a CISO (https://en.wikipedia.org/wiki/Chief_information_security_officer) doesn’t come right out and say it, a review of job listings and resumes boils it down to this: a Chief Information Security Officer is a Risk Manager focused on Information & Information Technology.
Those few words don’t do justice to what a CISO’s true undertaking is though. This role must understand the entity that garners its focus from top to bottom – often better than anyone else. The CISO has to understand the Organization, the Missions or Business Lines of the organization, and then the underlying Systems or technologies that support those Missions/Business Lines to be able to properly manage the risk that is affected at all three levels. To pull this off, the CISO must balance strategy with tactics, never forsaking either.
The CISO has to understand what it is that the organization exists to do. Communication with leadership is key in determining what the internal and external drivers for the organization’s security strategy should be, both of which determine the direction of the Security Program.
While leadership might not be focused on IT enough to fully grasp the impact that it has on the organization, typically leadership can understand the concept behind “risk.” So, it’s important for the CISO to be able to put into words (most often as part of a Risk Management Strategy) what leadership’s tolerance (or appetite) for risk is. And that tolerance needs to be as measurable as possible and blatantly stated for the entire organization to see: “Our tolerance for risk is Low/Moderate/High.”
Leaders typically will say out loud “I have a low tolerance for risk,” not truly understanding that a low tolerance for risk translates into a substantial budget for the Security team.
Direction from within the organization is extremely helpful, but can change direction with a change in leadership. There are external drivers, often in the form of industry standards or best practices and industry regulations that sometimes are not optional and can burden organizations with requirements.
In these cases, the CISO can use industry standards or regulations to form the policy framework that the organization uses to drive its security strategy.
It’s important to be able measure the agency’s implementation of its own policy against the risk tolerance defined by leadership. Security and Risk assessments help paint the “at what level of risk is my organization” picture for the CISO and for leadership.
The organization exists by its various missions and lines of business. The security program is there to make these lines of business more resilient, which in turn lowers risk to the overall organization.
The CISO has to understand how the lines of business operate, and be able to translate Security Policy into activities or tasks that can be integrated into the functioning business lines to protect the IT assets that business lines use.
The criticality of the organization’s functions, business lines, and missions helps the CISO to implement proper contingency planning so that business can be continued in the face of various disaster scenarios.
The CISO should be able to paint a picture for leadership how well each line of business is adhering to policy, and what risks (whether internal or external, adversarial or non-adversarial) have the greatest impact on the operations of that line of business. Since the CISO’s role is focused on managing IT Risk, in addition to gathering that information from the business process perspective, that policy-adherence and risk-based information should be gathered from each system or technology supporting each line of business.
Just like the organization needs its business lines to be resilient, business lines need their systems and technologies to be trustworthy.
While the application of certain aspects of policy might happen at the organization level or the system level, the policy still needs to be applied:
- users must be trained
- system components must be configured securely (which includes high-availability or duplication sometimes)
- lines of communication must be locked down
- backups must be performed
- logs must be aggregated and correlated
- threats must be hunted
- vulnerabilities must be patched
The CISO plays an active role in ensuring that each of these things happens. And when one of these policy requirements is skipped, a risk is present. To tie this back to the organizational tolerance for risk – if the risk is (based on likelihood and impact) measurably higher than the documented risk tolerance, it has to be mitigated.
Also, from a trustworthiness perspective, take vulnerability patching as an example – if Server A’s database management system has a vulnerability that allows remote attackers to randomly overwrite data, and that vulnerability patch has not been applied, then users of that system are unable to trust that the information in the database is correct. And in the case of a hospital worker trying to determine if a patient is allergic to a certain prescription, loss of information integrity could cost lives.
The CISO should be able to more granularly define the exact risks that a system is subject to by performing host & application vulnerability scans, source code reviews, component configuration reviews, architecture design reviews, user awareness training tests (like phishing campaigns), penetration tests, security and risk assessments, and many other information gathering exercises.
Additionally, if the CISO’s role includes Security Operations, functions like log correlation enhanced with threat intelligence integration, user activity behavioral analysis, incident response, etc… will help the CISO understand what active threats are working to exploit the vulnerabilities discovered in security and risk assessments.
The CISO must understand the organization at the strategic and tactical level – and be able to show leadership how risks affect all of it. All of this information gathered helps the CISO and organizational leadership focus resources on the business lines and IT systems that pose the highest risk to the operation of the organization. Without visibility, organizations remain blind to risks, and never see the attack coming. So, yes, the role of the CISO is daunting – this individual must know the business, the people, the processes, the technologies (including their proper configurations & best practice deployments), the priorities, the regulatory & legislative landscape, the threats, the vulnerabilities (and whether or not a particular vulnerability is being actively exploited by attackers), the threat actors focused on the organization’s industry and their methods of operation, … the list goes on… It’s important for CISOs to understand that perfection is certainly out of reach, but a step closer is still a step closer.