The New CISO: How the role has changed in 5 years
The role of CISO has evolved in the last five years from one of IT security administration to high-level risk management. Here are four perspectives on how and why it happened and how you can go about doing the job effectively today.
By Bill Brenner , Senior Editor
November 02, 2010 — CSO —
The role of chief information security officer is not what it was five years ago. According to those who find themselves in the role, that's not necessarily a bad thing.
It used to be that CSOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that's still the role some CSOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable.
In an ideal world, today's CISO hires someone else to handle all those technical tasks. Of course, the question is whether you can inspire them to do what you once had to do or if you'll turn them off with an attitude of superiority.
We reached out to several current and former CSOs and CISOs -- and a few analysts who have worked with them --for a look at what has changed from their vantage point and what a security exec must do to survive in the job today. What follows are four perspectives.
Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services
On how the position has changed for the better: In 2006 I was the only person running an enterprise security organization in Catholic healthcare that held an executive position. Many of the people I ran into that were leading security, whether traditional corporate security or information security, were essentially senior managers with fancy titles, rather than junior to mid-level executives. Really the only place this wasn't true, in general, was in the financial and defense sectors. In fact, if you look at who the original thought leaders of security were, you see them coming out of those sectors very strongly. Today that is no longer true. I have peers in Catholic healthcare who are vice presidents of their organization. More importantly, almost all large corporations (Fortune 500 as a definition for large) are hiring a VP of information security or something equivalent.
Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business. The CSO leads the security function within the business and that function is now viewed as a necessary function within the business, rather than something to be given lip service to keep the regulators away but otherwise ignored. This is a significant and powerful change, in my opinion.