The CISO in 2010 still touches technology

At Forrester’s GigaWorld IT Forum in Orlando, Fla., on May 16, seven members of Forrester’s Security and Risk Management Council sat with Forrester analysts Steve Hunt and Jan Sundgren to brainstorm about the role of the head of information security in 2010.

Security Is Remaining Clost to IT

There seems to be a lot of momentum around the idea of the CISO moving out of IT and reporting directly to some senior business executive. Our panel didn’t think that was necessary. Certainly there needs to be executive support for corporate security standards, but the CISO can live quite happily within IT.

Primarily Translating Business Requirements To IT

The main responsibility of the future head of security will be communication: explaining to business managers how security may help them, helping infrastructure teams know how much security is enough, and helping end users know their responsibilities.

Different viewpoints connected by a bridge over troubled waters. One of the biggest challenges to any successful security program is getting the infrastructure side and the business side to understand each other. The CISO of 2010 will work closely with technology experts and business stakeholders ensuring that the engineers understand business needs and that business managers, legal departments, auditors, and finance departments, among others, understand important technical security issues uncovered by IT.

IT security is not replaced by information security. The popular thinking these days is that IT security – the technology of perimeter controls, or network protections – will be superseded by the “higher view” of information security – the processes and technologies of achieving and measuring compliance to regulations, ensuring protection of proprietary information, and basically being concerned with softer or less technical security and risk management problems.

Our discussions, however, indicated that there is a strong need for the CISO to continue to manage technical security matters that may have been pushed out to infrastructure teams. Already, best practices are drifting in describing companies that have distributed ownership of security projects. For example, several large distributed companies gave ownership of antivirus management to the desktop teams and ownership of firewalls and some intrusion detection to network operations staff. That seems to work well.

Sharing Responsibility, Letting Things Go

Tentacles of solid and dotted lines keep the CISO in the know. The future CISO will have a combination of roles reporting in. For example, security architects will be under the CISO, focusing on the matters of aligning information security projects with business requirements. Antivirus and firewall teams will have solid lines reporting into IT operations, but the CISO will have dotted lines and will influence goals and performance metrics. The CISO will report into some senior manager, perhaps either the CIO or legal counsel, but will make regular presentations to all other groups of stakeholders and may have some oversight by an executive steering committee.

But don’t lose touch with technology. The gotcha that concerned our group of CISOs is that these operational teams need plenty of guidance and oversight. Over time, it would be so easy for the CISO to lose his or her technological edge. That would mean the operations folks eventually would be setting policy and creating their own standards. After all, if the technology continues to evolve and the CISO loses touch with it and doesn’t have management ownership, the operations team will be the experts on which standards are written. That’s why our panel thought it best to keep some authority in the game, with the CISO being involved with some portion of the operations team’s quarterly metrics or goals, assigning of bonuses, etc.

Business units will have local security officers. If you look around your organization, you may discover what our panel did: There are already a lot of people doing security-related tasks inside the business units. Formalizing those responsibilities into full- or part-time security officers extends influence, efficiency, and effectiveness – in theory, at least. Those business unit security liaisons have to be competent and dedicated to protecting the security interests of their respective businesses. Training is key, as is regular communication between these local security representatives and the CISO.

Qualifications Change, Emphasize Communication

Security managers today are notoriously technical. But our group of CISOs described how their non-security backgrounds from schooling, previous jobs, athletics, or hobbies gave them a special advantage. In fact, being technically savvy in security doesn’t help as much as it used to. Now, CISOs are chosen more often for their ability to explain to businesspeople what matters, why it matters, and what needs to be done.

Create Your Own Future

Our panel of CISOs understood that the future would not simply happen to them. It would be created by them. Current and prospective CISOs can prepare for 2010 by paying close attention to what matters most to executives and business managers. Learn how business managers communicate, discover what their priorities and interests are, and practice explaining business requirements to IT personnel.

Business Is the Point of Security

Ultimately, the CISO is not responsible for promoting security per se. The CISO will promote the mission statement of the company – not securing the network but securing the business. So the CISO will do less “selling of security” to business managers and more explaining the business to infrastructure staff. This will create an environment of security as an enabler. After all, business managers are not interested in security. They are interested in the benefits of security. The future CISO will protect the company’s interests without preaching doom and gloom all day long.