6 tips to shift information security from defense to offense

By Rick Kam
08:04 AM
a:2:{s:5:"title";s:118:"ID Experts president Rick Kam explains that the CISOs path to success depends on embracing risk-management practices. ";s:3:"alt";s:0:"";}

Chief information security officers have, for decades, played “data defense” — security and protection were their watchwords. But in the new world of risk management, the CISO’s role is changing from security expert to business strategist as new technologies and threats are changing the risk landscape daily.

Organizations have to be measured and agile in their responses, and they are increasingly looking to the CISO to help prioritize and align security efforts with business strategy.

The CISO can no longer hide behind a firewall of technical authority, and those who can ally security efforts with the business strategy and articulate the business reasons will be the success stories of the future.

This shift from security to risk management is not easy, but these tips can ease the transition:

1. Go holistic or go home. Organizations are turning to a more holistic risk management-based approach to privacy and security, and CISOs are expected not only to move but also to lead in these new directions. In a poll conducted by IT community organization Wisegate, almost 100 percent of the CISO respondents said they now have combined responsibilities for information security and risk management. Respondents cited compliance requirements and the general threat landscape as the biggest drivers of the shift to risk management, along with the number of near-miss security incidents and a desire to be more proactive in preventing them.

2. Up your reporting game. With combined CISO responsibilities are new reporting structures: many now report both to the CIO and the Chief Risk Officer or the Chief Compliance Officer, and some expect that in the future they may not report up through the CIO at all. In fact, a recent article in IT Pro Portal cites the Deloitte 2013 TMT Security survey, which found that 65 percent of CISOs report to the board of directors.

[Related: The Cybersecurity cold war. CIOs share insights on savvy information security.]

3. Address the human factor. Astute organizations realize that the technical side is only half of information security; since more than 50 percent of data breaches are still the result of human error. It has also become clear that no organization can afford to secure every bit and byte of data in its every incarnation through every stage of the business process. In light of these realizations, CISOs are increasingly being asked to help address the human factors in information privacy and security, and to help guide decisions about how to achieve maximum protection from finite security budgets.

4. Learn to prioritize risks. The new dual role of the CISO is proving to be a balancing act. Whereas security is an absolute — data is either secure or it isn’t — risk management involves prioritization. And whereas the mission of the CISO used to be to seek out security gaps and fill them, today it is to seek them out and help the board and management prioritize the need to fill them.

5. Understand legal concerns. The shift from guardianship to governance creates tension in another area. In some organizations, legal teams are concerned that the decision not to address known risks can remove plausible deniability in case security incidents do occur. Absolute security is not a compliance requirement — regulations such as HITECH require organizations to assess risk and document the rationale behind their responses — but legal teams still worry that an unaddressed risk could leave the organization open to liability in case of an incident. Addressing the legal risks requires communication and close collaboration between the CISO’s team and the legal team to determine that risk documentation is appropriate and adequate to protect the organization.

6. Become business-savvy. Whereas the old CISO role depended on technical acumen, the new CISO’s toolkit includes communication, business, and leadership skills. IT Pro Portal reports that CISOs are increasingly coming into the role from the business rather than the IT side of the organization. Long-time CISOs are looking for new ways to hone their business communication skills. A new program developed by HITRUST and Southern Methodist University offers certification in healthcare information security and technology risk management. The program aims to help CISOs and members of their organizations not only identify and manage risks, but to be able to articulate their recommendations in compelling business terms.

Season ahead
While the CISO’s tools and practices are evolving, the path to success is clear.

Whether selling the board on risk management strategies and investments or collaborating with other departments to implement effective security training programs, policies, and best practices, the CISO must be able to work in alignment with the evolving strategy and needs of the business.

The new CISO is more business leader than technologist, more enabler than enforcer. A quote from one Wisegate survey respondent revealed the question every CISO needs to be asking today: “How do we enable the business to do what they're trying to do in a safe manner or as safe manner as possible?”

The CISO who can answer that question will be the one who wins the game.

Related articles: 

A glimpse inside OCR's auditing mindset 

Mobile devices: A remote control to the Insecurity of Things

When IT sets BYOD, social media rules but users disagree