As technology changes, so do the roles that create and support it. Case in point: the role of the chief information security officer, which has seen so much change that it's almost unrecognizable compared to the duties it served to fill even two years ago. That, in turn, has sparked a serious amount of discussion — one that goes all the way to the heaviest hitters the tech security community has to offer.
"The Changing Role of the Chief Information Security Officer: What Every CISO Should Know," a Dark Reading-hosted webinar featuring Veracode CTO and CISO Chris Wysopal and Mayo Clinic CISO Jim Nelms, seeks to provide insight and experiential knowledge to CISOs who hope to understand and better navigate their changing roles. Whether you're a first-time viewer or you're just looking for a refresher, here are some of its many key takeaways.
Changing Landscape; Changing Role
In business, "Adapt or die" isn't an empty truism. When Dark Reading Editor-in-Chief Tim Wilson asks his panelists why the role of the chief information security officer has changed so much in the last few years, Wysopal is quick to call it a "double-whammy." "The threat space is changing," he says, "and the infrastructure is changing at the same time."
Unlike the old days, when innocent curiosity drove most hackers to monkey around in systems they weren't supposed to access, today's attacks come from endless angles. The black hatters accessing your servers may be trying to steal valuable information (as individual actors or corporate espionage agents), make a point (a fact called to light by the recent resurgence of hacktivism), or serve their nation (government-sponsored attackers have incredible skill and near-unlimited resources, in many cases).
If the attacks are the art, so to speak, then the infrastructure is the canvas — and that canvas is growing at an exponential rate. Because businesses are using technology to grow "as fast as they can," as Wysopal says, the number of inroads attackers may take is larger than ever; throw in the fact that many technologies and the software that powers them are brand new and the idea that all industries of all shapes and sizes must leverage innovation to survive, and you have a world in which the phrase "Anything is possible" looks simultaneously inspiring and threatening.
Losing Control and Managing Relationships
The way we make software is changing, too — and those changes play a big hand in the changing role of the chief information security officer.
Take outsourced and open-source code, two increasingly important factors everywhere software is developed (read: everywhere). As noted by Wysopal and Nelms, every line of outsourced code produced is another outside the CISO's direct influence; that, Wysopal notes, means even formerly cloistered CISOs must work with departments ranging from marketing to legal and beyond. And that's before mentioning building security-focused relationships with vendors themselves.
The result is a role that takes the form of "business risk management," Wysopal says, relying on policies and procedures to keep things secure. That said, the more things change, the more they remain the same: Nelms notes that, despite changes in technology and responsibilities, the CISO's main job is and always will be to protect information. It's the shape that protection takes that CISOs and the companies that hire them must be concerned with.
Successfully reporting to the board means speaking the board's language. If a CISO can't state a position or make a case in a way that's imminently relatable, considering the technical nature of the work, that CISO might as well be speaking Greek to an audience that only understands English.
This change goes hand-in-hand with the expanding threat space mentioned earlier, not to mention all the risks a company assumes by embracing tech these days. Since the role of the chief information security officer is to manage the risks that come with technology, he or she must craft plans and handle situations that touch on compliance, branding, practices of non-tech employees and more. The list truly goes on forever.
One tip, Nelms notes, is to go back to speaking the right language. If CISOs can find a way to outline a problem in terms of percentage points, ROI and other financial terminology, then it's much more likely they'll accomplish their goal no matter who they report to.
If you recognize the names attached to this webinar, you know their insights can't be contained in one article. For a more in-depth look at the CISO's ever-shifting (yet curiously constant) role in the tech world, be sure to check out the webinar. Whatever your role and however it's changing, you're guaranteed to find some eye-opening, actionable insight.
Photo Source: Flickr