The CISO's 5 Best FriendsThese Are Security's Key Executive Allies
"It's the only way I can do my job," says Dennis Devlin, CISO at Brandeis University in Massachusetts. He plays an advisory role to management and other key executives to help them understand the risks associated with the information and assets they hold and how those risks can be mitigated. In turn, these leaders help Devlin understand the core business processes and the information workflow within an organization.
A CISO's primary role is to manage risk, and in this capacity one must understand that risk touches the entire organization. Without strong relationships and collaboration from the organization's business owners, as well as other key individuals, a CISO cannot provide the best solutions on how to deal with that risk effectively at the enterprise level.
"Relationships and mutual trust ultimately define a CISO," says Mike Russo, chief information security officer for the state of Florida.
CISO's 5 FriendsAmong the best friends the CISO needs today:
- Chief Compliance Officer: Heightened government and industry regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act in the U.S., as well as the global Payment Card Industry Data Security Standard, all have expanded the role of CISOs. Security leaders increasingly help organizations manage overall risk by enforcing internal governance policies designed to mitigate security and regulatory compliance weaknesses.
As a CISO, Devlin works with his compliance team to help members understand the controls and the risk tolerance needed to stay compliant with industry regulations. For instance, when Sarbanes-Oxley came out, Devlin - then a CISO at Thompson Corporation - worked with his compliance team to help understand the organization risk of non-compliance and what new controls were needed in this process. "Our relationship is based on mutual trust, and in such situations people don't hide their vulnerabilities," Devlin says.
It's also important for the CISO to acquire a new level of coordination and friendship within compliance to understand how the compliance team contributes to information security. For instance, state agencies in Florida are required by law to conduct comprehensive risk assessments and need compliance leaders to review the findings, validate the methodology and the fact that audit is complete. "Compliance folks are critical to the success of remediation for the CISO in very simple terms," Russo says.
- Chief Legal Officer: The CISOs role is growing and broadening into new emerging fields such as social media, digital forensics and cloud computing. Also, high-profile cases of corporate fraud, identity theft and incidents requiring breach notification all push the security officer to be familiar with the legal domain. The CISO must know how to update the security policies, what processes to follow in the event of a breach or a forensics investigation and draw vendor contracts to define specifics on data protection and security controls.
"I seek counsel from my legal team to understand the impact of electronic health records on patient's privacy or if this move will increase healthcare breaches," says Terrell Herzig, information security officer at UAB Health System in Birmingham, Ala.,
The legal department in turn seeks his advice and guidance to understand the security risks on information handled by third parties, how they need to deal with security and privacy issues or clauses within a contract, how to store confidential information and the impact of regulations on information security functions.
- Chief Finance Officer: As more business leaders have come to realize the strategic importance of IT security, so has the CISO role become a part of the executive team, making it essential for CISOs to have an open dialogue with the chief financial officer. "Everything is tied to money when it comes to information security," Russo says. He has a strong partnership with finance to understand what potential money will be available through the legislature, where money can be shifted, and which business categories make money.
"As CISOs, we not only have to make the best choices, but financially sound choices around security to know what we can deploy within the organization," Russo says.
Also, Devlin in his role interacts with his financial group regularly to understand how much revenue risk his organization is willing to accept and what will be the defined risk tolerance for the enterprise. In addition, having a friend in finance is also helpful for CISOs to earn an influential advocate of information security who can voice their support on security issues.
"It will make much more of an impression to the board to hear from a CFO that we need to improve security than to hear it from a CISO," Devlin says
From his side, the CISO helps the CFO in taking financial decisions that involve information security. For instance, Russo is typically involved in big projects that deal with financial applications, the movement and security of information and how to lock down confidential information. "So when finance has to go about securing the information that they are responsible for, they come to us and ask questions," Russo says.
- Social Media Officer: As social media emerge and change the corporate channel for communication both for organizations and employees, CISOs find themselves playing a key role in policy shaping discussions and taking ownership of the risks associated with such an undertaking, says Brett Wahlin, CISO at McAfee.
Fear of risk issues such as data loss, malware and phishing attacks via these channels leads many security leaders to expand their roles in monitoring employee activities and implementing privacy controls on staff access to social media sites. CISOs need an ally in the social media department to orient them on standard information security practices and tools and make them understand what their actions mean toward protecting privacy and data within the organization. "CISOs need to partner with social media to understand both the risks and exposure that these new technologies bring on," Wahlin says.
- Public Relations Officer: PR plays a crucial role in crisis communication, working closely with the security leaders to organize response so as to minimize damage, and then present the information to the media safeguarding the company's image and reputation. Public relations is part of incident response plans, business continuity/disaster recovery operations and breach notification process. As such, CISOs need their advice on a constant basis in order to protect the reputation of the company.
For example, If it is determined that a security breach is of an appropriate magnitude and may require a press release, the CISO has to share details of the investigation and seek advice of PR to draft the right message for media and stakeholders of the organization.
"We need public relations to coordinate messages across business units and help understand what needs to be said, especially in light of breaches," Russo says.
In return, CISOs provide public relations executives with education. "A lot don't understand the significance of events," Russo says. "What types of events are occurring? How can incidents affect the brand and reputation of an agency?"