CISO 2.0: Enterprise Umpire or Wide Receiver?

Monday, May 21, 2012

Robb Reck


CISO 2.0: Enterprise Umpire or Wide Receiver?

There’s a pretty well-known characteristic among umpires. Just about any of them will tell you that a good day of work for them is if nobody notices that they existed. For the most part, that’s the truth. We notice when they blow a call, but don’t give them any thought when they’re doing their job successfully.

For years that’s been the role of the Chief Information Security Officer (CISO). The primary goal of the security department has been to keep the organization out of the newspapers. As long as no data was leaking and no regulators were barking, the CISO could operate as a cost-center in relative obscurity. Much like an umpire, the CISO was unnoticed when he was most successful. We’ll call this CISO 1.0.

The opposite end of the sports spectrum is the wide receiver. This is a position where success is defined by being in the spotlight. If this guy isn’t catching touchdowns and actively adding value to the organization, he isn’t seen as a success. His position thrives on being in the action and adding value to the team.

At this year’s RSA Conference, I attended a session where one of the speakers (a highly experienced security leader for whom I have great respect) made a comment that CISOs want to be noticed “not at all.” I don’t know what percentage of CISOs still operate under that mindset, but I believe it’s past time for a change. Security leaders have been umpires for too long, and it’s time to start flashing a bit of wide receiver.

Areas that do not provide significant organizational value are eliminated or commoditized

The nature of the business world is to invest our limited resources in areas that provide value. Areas that are not providing significant organizational value should either be eliminated or commoditized (to pay the minimum cost possible while maintaining compliance). In security, it is our challenge to demonstrate to the business that the money they invest in us goes further than just keeping us out of the newspaper. Security can deliver tangible benefits out to the business.

An effective security program can reduce the costs of creating products. By maturing our security program we can seamlessly implement security earlier into our projects. By implementing earlier we avoid the painful, time consuming rework that comes with needing to bolt-on security after the fact. Effective security can reduce the production impact of client penetration tests and regulatory changes by working their security requirements into the products the first time.

World class security is a key differentiator in many industries, including financial, government, healthcare and large public organizations. A mature security program is essential for successfully navigating processes like the Department of Defense’s Certification and Accreditation. If your organization provides services to these types of high-demand clients, security can be the difference between getting the sale and losing the business.

The number one value: real perspective on the organization’s data risk. Getting a real measure of an organization’s cyber risk is extremely difficult. Counting on auditors (internal or external) is never going to give the entire picture. But a security department with relationships throughout the organization, with boots on the ground, and personnel with intricate experience working with the technology… that kind of team really has all the tools necessary to tease out the information security posture of an organization. A mature security leader can utilize those resources to provide higher quality risk measures that can allow the organization to see (and avoid) many disasters before they strike.

CISO 1.0 still exists in many organizations, and still will exist for as long as I can foresee. The organizations with those leaders will continue to reduce their security costs, and continue changing the security function into a compliance checkbox designed just to keep regulators, clients and auditors happy.

CISO 2.0 is a growing breed, and looks to break out of the reactive, compliance-driven mindset. This CISO wants to bring new value into the board-room, expanding the ways security improves the positioning of the company. This CISO will still be held responsible for keeping the company out of the newspaper, but can also be known for reducing costs, increasing sales, and helping shape organizational strategy.  

Possibly Related Articles:
Security Training
Information Security
Policy Compliance Enterprise Security Security Strategies ROI Security Audits Leadership CISO Information Security
Post Rating I Like this!
Michael Farnum This has spurred a thought process in my brain. Good article and good thoughts. I am still rolling it around in my head, but the thought process is definitely good. Agree with Rafal that CISO 2.0 is off-putting, but still like the idea made more concrete.
Robb Reck Michael, Thanks for taking the time to read and comment.

I agree with both you and Raf. His suggestion of Visible CISO is better than CISO 2.0. The last thing I want is that people ignore the idea just because I picked a poor name.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.