New role of the CISO: Putting risk front and center

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/new-role-ciso-putting-risk-front-and-center#.U58mcZRX-uY

Once upon a time, when CISOs were a new thing, information lived in the
data center. IT managed the data, and CISOs protected the perimeter. Today,
mobile computing links the back office with every employee and customer all
the time — there is no perimeter. As information moves beyond the data
center, so has the role of the CISO, shifting from data security to
managing the inevitable risks of anytime, anywhere data.

The threat landscape and security technology are also driving the change in
the role of the CISO. There are over 700 security technologies available,
with millions of potential threat actors around the world. It's not a
question of if, but when and where a data breach will happen, requiring
data incident management.

Instead of merely securing the data — and often it is regulated data —
CISOs are tasked with managing the inevitable risks to data, as much of
information now resides outside the organization and is constantly on the
move, moving to insurers, patients, third parties, and others. But CISOs
cannot manage risk from the data center — not when they need to manage
risks to business operations, third-party risks, and regulatory risks.

Now, the CISO needs to manage the complete risk posture of the
organization, from the datacenter, where there’s some control, to
outsourcing, where there is almost none. This uneven playing field makes
the CISO’s job difficult, to say the least.

6 tips to total risk management
Managing risk in the new information landscape requires a strategic focus —
in other words, become “core DNA” for the organization. Here are ways to
make risk management strategies effective.

1. Understand that compliance-based risk strategies are insufficient. Big
breaches that make headline news often involve companies that are compliant
but not secure. CISOs need to move past just being compliant to managing
the unique threats facing their organization.

2. Know the specific threats, risks, as well as goals and resources of your
organization. There is no risk if there is no threat or no value, so a CISO
must identify those first. Then the CISO needs to evaluate the risks:
internal information systems, regulatory changes, and data moving within
and outside the organization.

3. Examine risks from the standpoint of business goals, to come up with a
business-aligned security strategy. This is the new challenge for the CISO:
“How do I align my entire security strategy with the business and then
message that correctly to get resources and buy-in from the executive
team?” Once a CISO takes this holistic approach, risk management can then
be incorporated into day-to-day business operations, making it part of the
cultural DNA of the organization.

4. Change the name and reporting structure to reflect the new risk
management focus. Instead of a chief information security officer,
businesses today need a chief information risk officer, a CIRO, and that
person needs to report not into IT, but to the business leadership team.
Like all the other C-level executives, now the CIRO is talking in the same
business terms and now he or she is managing risk in alignment with
business priorities.

5. Focus on business more than technology. Find a business mentor, consider
an MBA, and choose to spend more time in business meetings than technical
meetings. A CIRO hires people to manage the technical stuff, focusing
instead on working directly with the business to understand their needs and
articulate how the security organization is providing value to the business.

6. Get help. CISOs have a number of resources available to help make the
transition to a risk management focus. The recently formed Security Advisor
Alliance is a non-profit focused on security officers. Members share
questions and best practices, to create a safe place for a security officer
to ask a question of peers and talk to others who have solved similar
problems.

> From CISO to CIRO: A gradual process
The leap from data security to information risk management needn’t (and
can’t) be made all at once. You can start slowly, but it’s vital to start
to change now, because the threat landscape has already changed and will
continue to change. Data incidents happen, and understanding and managing
the risks ahead of time can save the organization and its people from years
of losses and litigation.

Split-second decision-making is best prefaced by months and years of
preparation. One of the worst parts about being CISO is to be in middle of
an incident where you get 30 seconds to make a risk-based decision, knowing
that it will be scrutinized by customers, regulators, and lawyers for
months to come. But you can get through it.

Risk management and preparation — and thorough data incident assessments —
are your best defense.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!