BreachExchange mailing list archives
New role of the CISO: Putting risk front and center
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 16 Jun 2014 20:37:49 -0600
http://www.govhealthit.com/news/new-role-ciso-putting-risk-front-and-center#.U58mcZRX-uY Once upon a time, when CISOs were a new thing, information lived in the data center. IT managed the data, and CISOs protected the perimeter. Today, mobile computing links the back office with every employee and customer all the time — there is no perimeter. As information moves beyond the data center, so has the role of the CISO, shifting from data security to managing the inevitable risks of anytime, anywhere data. The threat landscape and security technology are also driving the change in the role of the CISO. There are over 700 security technologies available, with millions of potential threat actors around the world. It's not a question of if, but when and where a data breach will happen, requiring data incident management. Instead of merely securing the data — and often it is regulated data — CISOs are tasked with managing the inevitable risks to data, as much of information now resides outside the organization and is constantly on the move, moving to insurers, patients, third parties, and others. But CISOs cannot manage risk from the data center — not when they need to manage risks to business operations, third-party risks, and regulatory risks. Now, the CISO needs to manage the complete risk posture of the organization, from the datacenter, where there’s some control, to outsourcing, where there is almost none. This uneven playing field makes the CISO’s job difficult, to say the least. 6 tips to total risk management Managing risk in the new information landscape requires a strategic focus — in other words, become “core DNA” for the organization. Here are ways to make risk management strategies effective. 1. Understand that compliance-based risk strategies are insufficient. Big breaches that make headline news often involve companies that are compliant but not secure. CISOs need to move past just being compliant to managing the unique threats facing their organization. 2. Know the specific threats, risks, as well as goals and resources of your organization. There is no risk if there is no threat or no value, so a CISO must identify those first. Then the CISO needs to evaluate the risks: internal information systems, regulatory changes, and data moving within and outside the organization. 3. Examine risks from the standpoint of business goals, to come up with a business-aligned security strategy. This is the new challenge for the CISO: “How do I align my entire security strategy with the business and then message that correctly to get resources and buy-in from the executive team?” Once a CISO takes this holistic approach, risk management can then be incorporated into day-to-day business operations, making it part of the cultural DNA of the organization. 4. Change the name and reporting structure to reflect the new risk management focus. Instead of a chief information security officer, businesses today need a chief information risk officer, a CIRO, and that person needs to report not into IT, but to the business leadership team. Like all the other C-level executives, now the CIRO is talking in the same business terms and now he or she is managing risk in alignment with business priorities. 5. Focus on business more than technology. Find a business mentor, consider an MBA, and choose to spend more time in business meetings than technical meetings. A CIRO hires people to manage the technical stuff, focusing instead on working directly with the business to understand their needs and articulate how the security organization is providing value to the business. 6. Get help. CISOs have a number of resources available to help make the transition to a risk management focus. The recently formed Security Advisor Alliance is a non-profit focused on security officers. Members share questions and best practices, to create a safe place for a security officer to ask a question of peers and talk to others who have solved similar problems.
From CISO to CIRO: A gradual process
The leap from data security to information risk management needn’t (and can’t) be made all at once. You can start slowly, but it’s vital to start to change now, because the threat landscape has already changed and will continue to change. Data incidents happen, and understanding and managing the risks ahead of time can save the organization and its people from years of losses and litigation. Split-second decision-making is best prefaced by months and years of preparation. One of the worst parts about being CISO is to be in middle of an incident where you get 30 seconds to make a risk-based decision, knowing that it will be scrutinized by customers, regulators, and lawyers for months to come. But you can get through it. Risk management and preparation — and thorough data incident assessments — are your best defense.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- New role of the CISO: Putting risk front and center Audrey McNeil (Jun 25)