Ants and elephants in the CISO's office

Or what I think about on the way to work versus what keeps me awake at night

By Paul Raines, UN Development Programme, a 2014 CSO40 award recipient

A CISO lives a precarious life.  A head hunter once told me that the average CISO at large corporations lasts about 18 months before being fired or replaced.  That’s because he or she faces two kinds of threats in the jungle of business -- ants and elephants.

Ants are the small, tactical issues that come across your desk every day.  These are tasks such as responding to audit findings or ensuring that vulnerabilities are patched, that incidents are quickly detected and handled, that user access is well defined and secured.  If you don’t quickly swat these ants crawling across your desk, they will eventually crawl all over your career and eat you alive. 

Elephants, on the other hand, are the larger, strategic issues that you get asked about at corporate board meetings or by external auditors, major clients or the CEO.  These are questions like: What are you doing to ensure due diligence in security?  What have you done to avoid the latest security breach in the news?  What have you done for me lately?  Unlike ants, elephants come barging into your life unexpectedly and usually at the most inconvenient time.  If you don’t shoot an elephant then and there, he will stomp on you and crush your career.

Both ants and elephants are important to handle correctly. But whilst CISOs are busy swatting the ants of tactical security issues, they must never lose sight of the larger strategic security objectives for their organization -- the elephants.    Another way of putting this is being able to demonstrate due diligence in your job to your major stakeholders -- executive management, business owners and shareholders.

One of the best ways of achieving this objective is by following and becoming certified as following the best information security practices of ISO 27001.  Following this standard ensures that you are following the recommended best security controls across all the domains in your organization that affect information security -- everything from hiring practices for new employees to physical controls for data centers to how you satisfy the legal and regulatory security needs of your organization. 

Because ISO 27001 certification entails having annual audits from an independent third party auditor, the results of the audit may also be used as an indication of security due diligence to your strategic partners, suppliers and clients who demand such documentation as a condition for connecting their network with yours.

Finally, every CEO wants to know what you have done for him lately.  ISO 27001 requires that you not only show effectiveness in your security controls, but that you also have constant improvement.  At every management meeting I have a standard agenda item to actively ask people about ideas to improve security and what threats are there which we perhaps have not addressed adequately.   This commitment to innovation helps ensure that security is constantly evolving to meet the growing information security threats in the world. 

In sum, if a CISO wants to survive the ants and elephants of the jungle, ISO 27001 is your best weapon.


Paul Raines is the Chief Information Security Officer for the United Nations Development Programme. In that capacity he is responsible for the information security and disaster recovery planning for the organization's 177 locations around the world.

The United Nations Development Programme is a 2014 recipient of the CSO40 award, presented to 40 organizations for their security projects and initiatives that demonstrate outstanding business value and thought leadership. CSO40 winning organizations will be recognized -- and many will be presenting their projects -- at the CSO40 Security Confab + Awards event, to be hosted by CSO March 31-April 2.  The UN Development Programme will be presenting on April 2.


Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline