/aug 4, 2015

For CISO Evolution, the Three Cs Are Key

By Doug Bonderud

The three Cs are the keys to any CISO's success.Data breaches are on the rise. According to a recent Forbes article, more than 675 million records were compromised last year. What's more, these breaches weren't limited to a single sector: retail, financial and even post-secondary institutions were all victimized. That means IT security must evolve, and that evolution starts with the Chief Information Security Officer (CISO).

In a new Dark Reading webinar, Editor in Chief Tim Wilson sat down with CISOs Jim Nelms of the Mayo Clinic and Chris Wysopal of Veracode for their take on what makes this C-suite role effective in the new IT environment. Here's a quick look at the three Cs necessary for any CISO to succeed:

1. Control

According to Wysopal, companies must now deal with an "expansive new IT landscape" that includes mobile devices, ever-changing end points and soon the addition of wearable and other IoT-based technologies. Nelms, meanwhile, notes technology isn't always the origin of a data breach — people are also a problem. In the financial sector, for example, just 3 percent of breaches happen because of end users. In government, this number climbs to 18 percent, and in healthcare it's a whopping 47 percent.

To succeed in this changing environment, CISOs need to reestablish control. This can be a difficult undertaking, however, since many security officers believe the goal is to reestablish control over network end points, while Nelms argues that companies never had control of end points. In other words, gaining mastery of the situation requires understanding that the rules of "traditional" IT defense no longer apply.

Wysopal points out that part of this change stems from software; since most apps are now written by outsourcers rather than in-house teams, it's almost impossible to discover who wrote specific code. To gain control over this new tech landscape, he says CISOs need to view IT as part of the supply chain rather than an outlier. Managing business risk — and the ability to delegate responsibility, not liability — becomes the hallmark of control, while handling data, not devices, allows CISOs to master their own bailiwick.

2. Communication

The next takeaway for CISOs? Communication. These C-suite executives must now manage relationships across the organization to be successful — this includes IT professionals, front-line employees, the CIO and the C-suite at large. As noted by Tim Wilson, IT security is a board-level concern, but many C-suites simply don't understand the scope of the problem or its solution. It falls to the Chief Information Security Officer, therefore, to effectively communicate both risk and potential reward.

To get the message across, Wysopal recommends that CISOs steer clear of acronyms, meaningless metrics and technical jargon. Fear is also a poor motivator; while statistics about what made it past company defenses seem like they should spur action, they're often paralyzing when not coupled with a solution. Nelms calls the CISO "chief of things that don't happen," and he points to similarly ineffective metrics such as threats that never made it past corporate defenses or the speed at which IT processes handle security issues. For Wysopal, the evolving threat landscape means a greater threat surface, in turn requiring bigger security spend to keep networks safe. But information security budgets are naturally subjective, based on emerging events rather than easy predictions. Effective communication keeps security dollars flowing rather than kept under lock and key until an emergency occurs.

3. Connection

The last big "C" for CISOs? Connecting with reliable partners to outsource some of the security burden. This is especially relevant for smaller companies or enterprises that aren't in a position to spend on more full-time employees but still need to make sure every app they approve or piece of software they roll out is defensible. For Wysopal, the bottom line is that most companies need to outsource. This could mean tapping a cloud-based application security vendor to provide more robust app coverage, or hiring a part-time CISO to help fill the gap. Simply put, it's no longer possible for companies to manage security in isolation; some kind of connection is necessary to combat emerging threats.

IT security is changing, and CISOs must be prepared to evolve. This means effectively managing the three Cs: Control over existing IT resources, communication across the organization (and with C-suite members in particular) and connection with a trusted partner to maximize returns on security spending.

Photo Source: StockSnap

Related Posts

By Doug Bonderud

Doug Bonderud is a freelance writer passionate about the evolution of technology and its impact on companies, stakeholders and end-users alike. Want to know more? Follow Doug on Twitter.