CHAPTER 65

ROLE OF THE CISO

Karen F. Worstell

65.1 CISO AS CHANGE AGENT

65.2 CISO AS STRATEGIST

65.2.1 Reliance on Digital Information

65.2.2 Inherent Insecurity of Systems

65.2.3 World Trends

65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE

65.3.1 Standard of Care

65.3.2 Governance and Accountability

65.3.3 Roles and Responsibilities

65.3.4 Reporting

65.3.5 Monitoring

65.3.6 Metrics

65.3.7 Executive Visibility

65.4 SUMMARY OF ACTIONS

65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs

65.5.1 Education and Experience

65.5.2 “Culture” of Security in the Business

65.5.3 Alliance with Corporate and Outside Counsel

65.5.4 Partnership with Internal Audit

65.5.5 Tension with IT

65.5.6 Organizational Structure

65.5.7 Responsibilities and Opportunities outside of CISO Internal Responsibilities

65.6 CONCLUDING REMARKS

65.7 NOTES

65.1 CISO AS CHANGE AGENT.

The title of chief information security officer (CISO) has evolved because of the realization that the function of the chief information officer (CIO) is so broad as to require another person to focus specifically on the security elements of information. Another motivation derives from the fact that the CISO can perform functions that are not usually associated with the CIO. Our approach to information security needs to change in response to the disruptive events affecting the network and the boardroom. CISOs should be the change agents to make this happen. This is a shift from the majority of CISOs' emphasis today as senior managers of information technology (IT) security.

Today, CISOs are in the trust business due to the need to create and maintain a network of trust among all the people, business processes, and technology of an enterprise and its partners. The interconnected ecosystem that developed since the commercialization of the Internet has seen dramatic shifts of trust: Consumers are thinking twice before conducting business transactions online, governments have intervened with regulations to improve the trust environment. The shift has between toward less trust each time we encountered a “disruptive event”—an event that awakened us to the fact that things were not as they seemed and made us aware that protection of networked information and systems needed to address something we had not anticipated. The timeline of disruptive security events that began in 1986 with the promise of productivity by Macs and PCs worsened with the Brain virus (1986). Trust continued to decline with the Morris Worm (1988) and the Concept.A macro virus (1995). Our world became flatter,1 and security became an entirely new kind of problem with the commercialization of the Internet and the introduction of the Web. In 1995 we still trusted the networked ecosystem. We saw the malicious works of nefarious individuals and groups, and we saw the future threat, but still did not fully realize how bad it would get.

Throughout this chapter, the author refers to “information security” and the “CISO.” This is not to the exclusion of aspects of security that do not deal directly with information systems; rather, it is intended in the broadest possible sense to address the interdependent disciplines that are required successfully to protect information in all its forms. It is in this context that the title “CISO” is used, inclusive of “CI” and “CSO” rather than exclusive.

In 2001, the horrific events of 9/11 rocked the planet, Enron collapsed, trust plummeted with Slammer (2002) and the insidious stealthy vectors that utilize port 80 to steal everything from personal identities, to bank accounts, and company data. The networked ecosystem has provided no end of new material for our profession while making “computer security,” “spyware,” and “identity theft” household terms.

Mark Twain once said the definition of insanity is to do the same thing over and over and expect different results. It is clear that we will need to apply a different way of thinking and new roles and responsibilities to the discipline of information security if we are to make progress in enabling the kind of protection that is required by businesses and agencies while enabling business agility and competitiveness. This is the opportunity of the CISO.

Trends reveal that we are just past the cusp of a new kind of “disruptive event” worldwide—the introduction of legislative and regulatory mandates to ensure effectiveness of controls for protection of consumers, critical infrastructures, and shareholder value. We deal today with a myriad of high-impact networked-based crimes: extortion, corporate espionage, and massive fraud. Many experienced CISOs believe that a “cyber–Pearl Harbor” scenario is plausible. Since 2001, we are acutely aware of the vulnerability of critical infrastructures, at least 85 percent of which are owned and maintained by the private sector. Recent figures2 indicate that new home PCs are compromised with anything from spyware to Trojans within 5 minutes of connecting to the Internet (it takes up to 60 minutes to download protective software). Although corporate PCs may enjoy a relative degree of protection, as many as 90 percent of personal home PCs have some kind of spyware. Corporations with the resources to address information security have doubled the use of IT security standards and guides since 2003. But the insidious attack on the home user is winning a game with serious stakes: Consumer confidence in the Internet is waning. Once “computer security” was the domain of techies and “geeks”; it is now pervasive enough to be a household concern.

“Security” has definitely reached the awareness of the C-level offices (chief executive officer, chief financial officer, etc.) on mahogany row, and there are articles in the popular press on a daily basis concerning information security around the world. This visibility ensures that no one can hide behind a plea of ignorance of security problems. Legislators and regulators are more concerned than ever, and new statutes, codes, regulations, and guidelines have proliferated. In the face of huge threats and the need for a corporate duty of care, network security remains a concern, but compliance to regulations and statutes and the ability to demonstrate adherence have become mandatory.

Penalties for noncompliance to these recently established governing rules are setting breathtaking precedents: $1.2 billion for a large U.S. financial institution, $15 million for another. The U.S. Veteran's Administration admitted to the compromise of personal information, including Social Security numbers, of 26.5 million living American veterans.3 It may be noted that even New Zealand was for sale on eBay® recently—reportedly the efforts of an unknown party in Queensland—and was taken off line after 22 bids had reached A$2,000.4 The reserve, if any, was probably not met. We live in a new world. Trust is no longer assumed; it is easily broken in the most inadvertent to the most imaginative ways. The case law for settlements and summary judgments in information security matters is providing the basis for the best potential dollar-based impact analysis on business and information security risk since Basel II, which is the second set of international guidelines on banking laws and regulations recommended by the Basel Committee on Banking Supervision.5

Companies, and clearly U.S. Government agencies, do not have control of intellectual property, employee data, or consumer data. The need to retain corporate records in the event of litigation regarding business matters, and to produce such information on demand under discovery, is infeasible for many firms with petabytes or more of structured and unstructured data. Recent legislation, regulations, and case law will drive the need for information security programs to solve this enormous data management and security problem and to demonstrate a level of effectiveness to a standard of care that will stand up to the scrutiny of opposing counsel. It is the role of the CISO to understand fully the implications of these new burdens and to incorporate them into a strategy along with the business strategy of each enterprise. Where information security spending was benchmarked by Gartner Group at 1 to 3 percent of overall IT budget in the mainframe days, and 5 to 7 percent at the dawn of distributed computing, the spending to resolve problems created by past failures to address solid controls, and to be prepared for the threats of the future to any degree, should well exceed 10 percent of an overall IT budget. This does not include the special allowances that will be required to treat some of the worst offenses. According to the 2004 Information Security survey conducted by PricewaterhouseCoopers and CIO magazine, the best practices group spent 14 percent of their IT budgets on information security each year.6 Companies must plan for these expenditures; the role of the CISO will be to help clarify obligations, business necessities, and strategic spending.

65.2 CISO AS STRATEGIST.

Information is the prize that motivates wrongdoers, perpetrators, and miscreants who tamper with, destroy, and penetrate systems that process, store, and transmit digital information. Phil Condit, former chairman of The Boeing Company, said it well at his keynote to the International Information Integrity Institute in 1995: “Information is the business.”7 His statement was visionary at the time. Indeed, since 1995, it is safe to say that information is the foundation of business, but it is the way it is used, combined, mined, shared, represented, accessed, and manipulated for business logic's sake that creates competitive advantage. And each of these areas of application logic and information requires rules-based protection to ensure that the business is basing decisions on sound knowledge.

There are three main drivers for CISOs to define a new strategy for information security:

  1. Systems are inherently insecure as a result of enormous variations in configuration, sheer complexity, and volume of vulnerabilities. A risk-based approach using conventional methods is no longer valid (if it ever was).
  2. The reach of global business processes, personnel, and business systems introduces new considerations into an already complex security problem.
  3. The playing field between the “protectors” and the “interlopers” is dramatically uneven. There are literally hundreds of thousands, if not millions, of interlopers with a follow-the-sun 7 × 24 × 365 factory of attacks. Companies cannot afford any such investment to counter the attacks, even if it were possible with a combination of people and automation. The attack vectors change too quickly to be able to get ahead of the curve on the protection side of the equation. Nation-states, organized crime, terrorist organizations, fraudsters, and identity thieves are continuously developing ingenious models to attack, steal, and destroy precious assets of individuals as well as of enterprises.8 Worse, professionals continue to consider trusted insider as the most significant threat. With a globally distributed workforce of contractors, employees, and suppliers, it is necessary to have an approach to information protection controls that enables a reasonable assurance that both the external and insider threats are appropriately addressed.

The CISO as a strategist will be successful adopting and integrating new methods into the business, such as a rules-based standard of care and due diligence to that standard of care. This will necessarily include existing methods of network protection, data classification, and so forth—the standard of ISO/IEC 17799:2005 provides an excellent framework. It is the decision-making process about priorities that must change.9

As a strategist, the CISO will need to look at the security problem as an executive businessperson would. Adopting the kinds of strategic thinking described in classics such as The Art of the Long View is a key success factor.10 A partial list of things to consider includes the reliance on information, why protection is important, the insecurity of systems, the futility of risk-based security, and world trends.

65.2.1 Reliance on Digital Information.

Digital information is the lifeblood of our commerce, financial infrastructure, healthcare, transportation, energy, and even our very identities as citizens. In the United States alone there are 15 distinct critical infrastructures, vital to the interests of the country and to national security:

  1. Information technology
  2. Telecommunications
  3. Chemicals
  4. Transportation systems
  5. Emergency services
  6. Postal and shipping services
  7. Agriculture and food
  8. Public health and healthcare
  9. Drinking water/water treatment
  10. Energy
  11. Banking and finance
  12. National monuments and icons
  13. Defense industrial base
  14. Key industry/technology sites
  15. Large gathering sites11

Eight-five percent of the systems that make up these critical infrastructures are owned by private enterprise. The systems that interconnect to deliver services require integrity, availability, the trusted relationships, and confidentiality. If we cannot trust the systems, we cannot trust the information. If we cannot trust the information, we cannot trust decisions based on that information. Information security also now requires us to be able to demonstrate digital ownership and even chain of possession. We have to maintain digital information in such a way that we know where our IP is at all times, what records our company must maintain, and how to store, label, and retrieve them. The definition of information security as CIA—confidentiality, integrity, and availability—is too simplistic.

65.2.2 Inherent Insecurity of Systems.

Systems include hardware, software, utilities, scripts, and transport media, all of which are ultimately created by humans with scheduled deadlines and constrained budgets, and installed by organizations with scheduled deadlines and constrained budgets. It is all flawed. The vulnerabilities that exist today, let alone the ones we are going to learn about tomorrow and the next day, cannot all be addressed. Perfect security is a myth, unattainable, and arguably a waste of time to try. Risk-based methods for identifying required security tactics do not scale, nor is there meaningful data that describe probability and ALE (annualized loss expectancy) realistically for information security.12

65.2.3 World Trends.

Our world is changing. Based on a report titled “Ten Trends to Watch in 2006” published by McKinsey and Company,13 trends that will have significant implications for security professionals include:

  • Dramatic geographic shifts in centers of economic activity, particularly in IT services, where labor and talent are increasing globally. Worldwide, distributed, and devolved security models will be required, as the supply chain and internal processes in a company's value chain are widely distributed. The implications of physical security, information systems protection, personnel practices, and the diversity of governing regulations and statutes require a much broader, business-based view of asset protection. Use of company-owned, leased, and outsourced facilities will prove to be a challenge to asset protection.
  • Technological connectivity will transform the way we live and interact and will completely disrupt current security infrastructures. Enhanced connectivity and mobility using smaller (i.e., less observable), highly capable Internet-enabled devices requires access to enterprise information resources from anywhere, at any time, putting an enormous strain on rule sets designed to filter incoming and outgoing information, and where it travels. Peer-to-peer networking, tiny mass storage devices, blending of personal and enterprise computing on common devices—these are just a few of the near-term changes that will completely alter the way enterprise rules are handled for information protection. Grid computing, virtual machines, work from home—all are issues that challenge the notion of comprehensive asset protection, both physical and logical.
  • New models of in-the-cloud knowledge, including production, access distribution, and ownership are emerging, and fundamental trust models remain to be defined or even described. “Software as a service” [SAAS] is already enabled for consumers and small businesses, and, probably enterprise services will follow. The download and introduction of software over the Web, and access to proprietary information in an anywhere-computing environment, requires redefinition of the way we think about intellectual property and data management.

A coordinated, interdisciplinary management approach to a proper set of controls based on business risk is essential to deal effectively with the enormous requirements to protect information in business today. Whether the enterprise is private or public, regardless of nationality, “the world is flat,” and a solid information protection strategy must recognize the implications of that.

To summarize, successful use and management of information is the business. Setting priorities that demonstrate due diligence to a properly business-driven standard of care for the confidentiality, integrity, availability, ownership, and proper possession of information is the charge of the CISO. It is essential that the CISO function at the level of executive management and as a business strategist, participating with the executive leadership team to enable the integration of due diligence to a standard of care into all business streams.

65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE.

Recognizing the information security changes that drive the role of the CISO, what should be done to be successful? What are the key focus areas that should define the role of a CISO?

Success for information security professionals will depend on several key factors in this new world:

  • Standard of care (e.g., rules-based) strategy
  • Governance and accountability
  • Clear roles and responsibilities
  • Metrics, reporting, and executive visibility

The remainder of this section examines each of these more fully. For a general discussion of management's role in information assurance, see Chapter 63 in this Handbook.

65.3.1 Standard of Care.

A CISO has one vision statement that drives strategy: to establish due diligence to a standard of care for the business; that is to say, to put in place the mechanisms (controls, oversight, monitoring, metrics, and reporting) that will enable the business to demonstrate due diligence to that standard of care.14 Instead such a standard of care is rules based, but it is not prescriptive in itself. The standard of care is the set of documented business risks from an information protection perspective, and the declaration of a set of rules in policy, that effectively mitigate those business risks. The standard of care declares “what” will be done. It is the governing book of policy to be reviewed and monitored by the executive leadership team, the audit committee of the board of directors, and senior management. It is the set of rules with which all internal standards and desktop procedures must comply.

Although a complete treatment of the identification of business risk is outside the scope of this chapter, it can be summarized in this way: Prior to identifying the controls within a standard of care, steps must be taken to qualify business risk relatively as “high,” “medium,” or “low” based on magnitude of potential business impact and perceived exposure. It does not use quantitative risk analysis methods such as those found in Octave, FAIR, or any other popular risk-based quantitative methodology. It does not use ALE. It does enable the business to defend the design of the standard of care, the controls of which are derived from the business risk analysis.

The standard of care derives its meaning from two primary sources: internationally accepted standards and the risk analysis that defines the business risks.

The basic set of internationally accepted standards is summarized in Exhibit 65.1. For more detailed analysis of security standards, see Chapters 44 and 51 in this Handbook.

It is important for these standards to be used as a foundation for the policy, to ensure that security policy is recognized by the larger body of security professionals, and to serve as an interchangeable trading partner agreement in the communication and enforcement of security expectations.

It is not in the scope of this chapter to go into the risk assessment methodology in detail; however, a general description will serve to indicate that this is not a vulnerability assessment. The risk assessment process is one used not to identify system vulnerabilities but to identify potential areas relating to people, process, and technology that could result in an exposure that reaches a defined threshold of business impact. For example, in a technology firm, one might align three major areas of concern: major inaccuracies in financial reporting (the domain of the Sarbanes-Oxley Act of 2002), failure adequately to control IP, and the subsequent risk to trade secrets, patents, or copyrights, and failure adequately to protect customer data. Each of these “slices” of business risk can be the foundation for the questions in the risk assessment to ascertain major systems exposure, business process exposure, or exposure caused by people doing things incorrectly, such as human error or even malfeasance. Risk rankings will need to be on the basis of assumptions and figures acceptable to the senior leadership team; the wildcard in any risk ranking is probability. The business impact threshold will vary widely with each business. Thresholds may be set using the financials of the company. A company that has a materiality threshold (i.e., the minimum level of loss that matters significantly to the organization), for example, of $5 million that defines a material weakness in Sarbanes-Oxley compliance will prioritize its risks differently than a firm for which the materiality threshold is on the order of $500 million.15

With the risk analysis to use as a rationale, the road map to tailoring a book of policy derived from the international standards becomes a series of steps to take for each risk, to define the mitigating control, and to map that control to a control statement in, for example ISO/IEC 17799:2005. Repeating this for all the risk categories and all the risk areas, one will have a foundation to demonstrate to any trading partner or outside party why the standard of care is relevant and appropriate to the company.

The next step is to help provide the translation of the high-level standard of care policy statements into action. Creating a set of implementation standards for the various controls described in the standard of care gives clear direction to all parties charged with ensuring that the needed controls are in place. The implementation standards also provide the foundation for a set of measurements and tests to determine that the controls are working as intended. This is the critical element that enables the executive team and the CISO to demonstrate that the controls are not only the right ones, but that they are working properly.

images

EXHIBIT 65.1 International Standards for Information Security Governance

The CISO does not get involved in monitoring firewall rules or router configurations. This is work that is the domain of an operations security manager who is carrying out the standards established by the CISO. The CISO should review the reporting (once it is established) to ensure that the controls described for all Internet connectivity are in place and working, and to ensure that the handling of technical details is delegated to specialized technical staff and management.

65.3.2 Governance and Accountability.

A recent research project completed by Booz Allen Hamilton reveals several factors that are changing the face of protecting enterprise assets, and ultimately adjusting the roles of the security profession. The information protection strategy is undergoing “convergence,” defined by ASIS International as “the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”16 The role of the successful CISO is not only converging into an interdependent set of security specialties; it is also blending into business functions, intertwined into the fabric of decision-making processes throughout the life cycle of business strategy, plans, and execution.

Given the need for managing all the complexity recently introduced, security professionals must also adopt a different outlook—a more business-oriented than a protectionist position. Tim Mather, CISO of Symantec Corporation, describes it this way:

For many information security professionals, the urge is to promote information security—zealously. Many times too zealously. We often come to believe that security awareness equates to zealous promotion of information security objectives, especially the deployment of (information) security technology—often at the “expense” of people, and policies and processes. However, that zealous promotion of information security objectives tends to cloud our judgment as to the business considerations of the risks involved. Our information security-colored glasses are polarized to security and tend to filter out business unit considerations. This leads to a loss of credibility with business unit personnel, hindering our ability to accomplish our information security goals.

Our challenge is to articulate our information security objectives in terms of business risk that business unit personnel can understand and appreciate. That being said, it does not mean being “soft” on our objectives. We are not paid to install the “speed bumps” in enterprise hallways, but that articulation does mean translating information security objectives into “business-speak.” Only the combination of articulate translation and polite but firm emphasis on our information security objectives will gain us the credibility that we need to accomplish our enterprise information security goals. And that effort has to begin, and continue, at the top of the enterprise—with its executives.

Part of the reason security managers have had to take such hard positions in the past is that information security practices have had a strong tendency to be in organizational silos: executive protection, IT, physical security, local business practices, policy management, HR investigations, fraud, and so on. Each of these practice areas is a specialty, to be sure, and will continue to require specialization. Independence can no longer be effective. Privacy, information security, data management, mobility, supply chain management, workforce management, and human resources, facility management—the protection elements of these business domains, and so much more, must be coordinated to avoid weak links in the protection strategy that could prove disappointing if not devastating to a business, or to individuals.

With the need for an interdisciplinary approach at an executive level, with a broad reach across an enterprise, one might argue that the centralization of primary information security functions under a CISO would be one way to ensure that all information security practice would be consistent and easily measured; on the contrary, the temptation to ensure the fidelity of an organizational mission through assembling affected functions under a single manager should be resisted. In a successful information security strategy, it is far too easy for all enterprise management to think of security as “security's business” or as “the CISO's job.” In fact, the function of security should be emphasized as a business function, with accountability distributed in the business across all business unit executives, led by an executive-level security team. This has five advantages.

  1. There will never be a security organization large enough to do the entire job of securing information assets in the new world. Security truly has to be everyone's job, in ways that are measured and tracked. Putting security accountability into the business units will leverage resources effectively.
  2. Accountability is a good way to get someone's attention. Management is attentive to scorecards that are read at the top, with expectations for improvements that have been assigned to a responsible individual or group.
  3. The interdisciplinary approach needed for the rapidly emerging challenges and competing priorities can best be addressed by an interdisciplinary team, including functions such as supply chain management, that have no reason to be merged into a security organization.
  4. Being closely tied to the business allows for upstream integration into business processes, allowing security to be “built in” [versus an afterthought] when new business initiatives, strategies, and ventures are being designed.
  5. The funding for proper protection of information assets is no longer a security problem or an IT problem, but it is a business problem, with the proper business visibility of what is and is not getting done, and what is the residual risk from funding decisions.

A simple policy-driven governance structure has been effective in many large-scale organizations to establish the necessary linkages with the business, to ensure consistency in strategy and approach, to gain executive buy-in on strategy through collective priority setting, and to gain visibility of progress and of unresolved issues on an ongoing basis. A basic governance structure can be tailored to fit corporate culture such as the number of representatives, and the layers of working groups. What is essential is the creation of a governance body to ensure corporate due diligence and to avoid conflicts of interest such as are described further in Section 65.5.5.

A policy-driven approach to security and disaster recovery governance includes these components:

  • Senior Leadership Team (C-level executives)
    • Authority for policy
    • Governance body
    • Program oversight
  • Policy
    • Establishes accountability
    • Establishes programs and program authority
    • Establishes governance processes
    • Publishes under authority of the senior leadership team
  • Principles
    • Five to six high-level statements at a descriptive level
    • Separate from policy
    • Establishes guidance for business unit standards
  • Business Unit Team
    • Provides staff support
    • Facilitates governance process
    • Provides technical leadership for security across business units
    • Consists of representatives from each business unit plus audit
    • CISO is chair
    • Coordinates policy principles for senior leadership team approvals
    • Establish standards at the prescriptive level
    • Implements standards
    • Monitors effectiveness of implementation (provides metrics and reports to senior leadership team)
    • Coordinates key initiatives for security and recovery improvement across business units

In this structure, the CISO can function as an agent of change for driving broad, funded, prioritized initiatives with true business impact.

Joel Scambray, coauthor of Hacking Exposed and senior security strategist at Microsoft, sees the need for CISOs as change agents:

Information security is now such a very broad topic, the role of the senior security professional has to move away from implementation of the security technology to the role of change agent. Network issues are diminishing: so much can go through port 80 inbound and then by proxy to the application, the themes in the attack community are shifting and will always continue to do so as technology evolves. Attackers will strike a business through the path of least resistance and that is going to be throughout the business, not just in the network and applications. It is essential to have business group accountability to address risks in all areas, for each executive to think about risk and ensure they are taking informed steps to bring it to within acceptable levels.

The CISO has to move up in the corporate structure—it's a revenue-protecting job and has to be supported at the highest levels of the company to get the company to focus on the right risks.17

65.3.3 Roles and Responsibilities.

In general terms, there are a set of roles and responsibilities that support accountability that have been shown effective in practice. Some would require substantial change in the organizational responsibilities within a company or agency. That ISO is the change agent to make things better; once the foundation for security governance is in place, this should be a discussion topic. Outside professional opinions can be solicited. Refer to the practices documented at Institute of Internal Auditors (IIA), Information Security and Control Association (ISACA), and IT Governance Institute (ITGI). Evaluate them in the context of your company; you may not be able to implement all ten of these principles for accountability and reporting, but even some of them would demonstrate progress. The 10 principles for effective information security control follow. For each item involving security, the CISO is the leader, or receives and acts on reports, or merely a participant and observer.

  1. The CISO does not “own” IT assets but manages them on behalf of the business. Governance processes are in place for effective business management of IT.
  2. An independent third party regularly reviews the implementation of each of these principles to verify control design and control effectiveness.
  3. The expenditures on IT security are justified in terms of business value according to parameters established between the CISO and the business units.
  4. IT security is actively monitored by an IT governance board consisting of IT, business management, and the CFO, and adjusted according to business needs.
  5. Security, information assurance, and cybersecurity rules are tied to business rules in ways that are traceable, understandable, and agreed to by the business.
  6. All IT security change is authorized by specifically designated IT management change boards.
  7. Application development processes verify that applications perform only as intended, throughout the life cycle of the application, under the supervision of IT governance boards.
  8. All IT security operations and processes are standardized, documented, and reviewed regularly for consistency by IT management and independent third parties.
    1. New processes are developed to accommodate business change.
    2. Existing processes are reviewed regularly for update, to accommodate business change. Consider having legal counsel review the documentation to determine if the records present unexpected legal risks or if they can provide legal advantage in any dispute over the standard of care.
  9. All information systems assets (data, infrastructure, applications, processes, and services) have clear business owners with accountability to ensure:
    1. Assets are used only as intended.
    2. Assets are accessed only by those who are authorized according to defined business rules. (Access is defined as ability + opportunity.)
    3. Assets are available for use according to defined business rules.
  10. Business and IT employees, contractors, vendors, and third parties have necessary documentation and training on a regular basis to carry out these principles in an effective, verifiable manner for the businesses in which they are engaged, and they have proof of training on a timely basis.

Generally, the business does not want to “own” IT. They see IT as a utility, the domain of “IT staff” and too much work to understand. This is the major hurdle to be overcome in the change agent role of CISO. Remember, IT is the business. That is to say, IT today governs the systems that process the information that is the lifeblood of the business. Without the information, the business will stop. The logic applied to the information on behalf of the business should be owned by the business. It is worth the effort; once the business realizes its own accountability for the confidentiality, availability, integrity, ownership, and possession of business information, as well as for information security practices and improvements, it will enjoy a whole new level of interest in, and responsibility for, the enterprise.

65.3.4 Reporting.

With the governance structure established, the ability exists to assign accountability to the right places in the organization. The senior leadership team should identify how management will be held accountable. This is not a choice of “if” but of “how.” Without clear accountability, governance and policy will mean nothing because they will not be implemented or enforced effectively. The primary tools for enabling executive accountability are reporting, monitoring, and metrics.

65.3.5 Monitoring.

Monitoring in the context of the standard of care is the set of processes, human resources, and automated and manual tools needed to ascertain how well the controls established by the standard of care are functioning. Key to monitoring success is to monitor meaningfully—monitor to determine that the set of controls established is, or is not, working as intended. This is a function that can easily be coordinated and shared with internal audit, and care must be taken to ensure that the monitoring is appropriate for the applicable standard of care rules. Monitoring should be done with an objective degree of proof—hearsay is not adequate monitoring. Monitoring will usually need to be automated to handle the scale and frequency required in most information systems environments.

65.3.6 Metrics.

Metrics have been a difficult challenge for all CISOs. The generic advice is this: Choose metrics for reporting that are essential to (a) give the business a set of key performance indicators and (b) make a difference in a needed control area. We often measure something in security just because we can. This is a mistake. Measuring the number of viruses or number of penetration attempts is not meaningful because they are high-volume certainties. The measurement system has to ensure that good results could not be achieved from failing to look; a decline in security incidents from outside attacks may be truly declining, based on 100 percent visibility of the problem, or the problem may have shifted to a space that is not monitored. In most cases it is probably, the latter, given the changing vectors in the network attack space.

65.3.7 Executive Visibility.

For executive visibility, experience indicates that a CISO executive scorecard, published with the support of the CEO, CFO, COO or other executive sponsor, will drive behavior according to the metrics that are chosen and reported. Reporting should be at least quarterly—more frequent would be desirable, but may be difficult to achieve. Quarterly frequency allows for continuity of program management in making security improvements that require executive support for implementation.

65.4 SUMMARY OF ACTIONS.

In summary, the strategy for information security has to balance vulnerability management with a standard of care that is appropriate to all stakeholders. These stakeholders include business owners, trading partners, consumers, regulators, auditors, shareholders, and information owners whose membership in the interconnected community puts them at risk if any member has a breach. This requires coordination among diverse specialists and organizations. Security as a state of being is not feasible; due diligence to a standard of care is the approach CISOs should adopt.

The CISO has to develop a standard of care that answers to many demands. The Federal Information Security Management Act of 2002, EU Data Protection Act, Gramm-Leach-Bliley, HIPAA, Sarbanes-Oxley Act of 2002, Senate Bill 1386, BS 7799 certification, FIPS 199 and 200, as well as various NIST publications, and a host of local codes and statutes around the world greatly complicate the compliance function. It is best to adopt a standard-of-care approach that provides, based on international standards, a single comprehensive response to all queries. Expectations of records management, compliance with e-discovery, business continuance, disaster preparedness, IP and trade secret protections, sanctions for unfair information practices or advertising, and a burgeoning library of case law in matters related to security and privacy have become the drivers to which information security professionals must respond. Clearly, information security has become a risk management role worthy of a C-level executive, working in a structured governance role to involve the business. Today, the transition from security director or even from today's CISO is not complete to the C-level role that the CISO name implies. The points made thus far indicate a real need to pursue this as a professional group, and to adopt some generally accepted principles and standards so that businesses and agencies can enjoy the level of information protection that is required in this “new world.”

65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs.

For all the interviews that I did at RSA in 2006, only one quote made it into the press. Under the title “Microsoft CISO Has a Sense of Humor,” the reporter indicated that I had answered all their detailed questions with serious thoughtfulness. But when they asked me what would be the best advice to someone who aspires to be a CISO, they quoted, “Have a stiff drink until the feeling goes away.” I actually said, “Have a lie-down somewhere,” but no matter—the quip hit the papers.

It was seen as funny, but there is also a real need to consider the demands made on an individual who aspires to a C-level role in security, where there is so much at stake. Many technical security managers are chosen to fill the role but are ill equipped to transform into executive management. Even worse, a CISO who does understand the executive role and moves to perform it in an organization where CISO roles are not understood can easily fail. To quote Machiavelli:

Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.18

In this section, several pointers based on input from various CISOs are offered to help you assess whether an organization is ready for a CISO and whether you are ready. The areas include:

  • Education and experience
  • The “culture” of security in the business
  • The alliance with corporate and outside counsel
  • The partnership with internal audit
  • The tension with IT and dealing with the potential conflict of interest
  • Organizational structure
  • Responsibilities and opportunities outside of CISO internal responsibilities

65.5.1 Education and Experience.

First and foremost, do you have appropriate background to be able to lead with wise counsel and appropriate judgment? Do you feel you are better at tactical detail, or do you prefer “the big picture”? In a panel during a plenary session at RSA 2005, LJ (Lisa) Johnson, CISO of Nike, related that her MBA degree was very helpful in her role as CISO, and this sentiment echoes across others in similar positions; however, successful leaders in this space do not all have advanced degrees—life experience is a significant contributor. Reading the wealth of books on various aspects of business management, information systems, and information security is also a good way to expand one's background. Conferences are beginning to focus on the role of CISOs as the role is described in this chapter, but, for the most part, conferences are best at keeping up with technical or auditing trends.

One way to evaluate the background that is necessary, whether it be by experience, reading, or the classroom, is to evaluate the various stakeholders with whom a CISO must effectively communicate to one degree or another. Internal audit, legal counsel, business executives, and IT staff are the core stakeholders. Within the business units, finance, supply chain, and HR are areas with which the CISO will have frequent discussions. Do you know your company's value chain? Do you understand the major business processes? Have you read the company's disclosure statements, and annual report? Do you understand the major cost concerns and the revenue streams? What are the key risks, outside of security, that occupy the executive team's time? If you know the answers to these questions, you are in the minority of security professionals. If you do not create your own action plan to network with key individuals, then read, take a course, and create a career plan that will give you experience in these areas. Do not be afraid to admit that you are learning and interested in getting more information from the experts in a particular area.

Whether your education is a BS in computer science, a MBA, or high school, you can get a great education on the job in preparation to taking a leadership role in information security. Evaluate what it will take for success, and then make your plan to get that information on the job or in school.

Each company is unique, so each CISO job will have unique elements built on the basic CISO job description. A word of warning: As anew CISO, take the time to absorb the culture before launching major changes or initiatives. Remember Machiavelli—people need to know you care before they care what you know.

65.5.2 “Culture” of Security in the Business.

The culture of security can be very difficult to ascertain. In a centralized security model that lends itself to top-down management, one at least knows where to look. In a company where security may be part of the company's core business, and many think of themselves as CISOs, the role is much more challenging. The culture can be defined as the set of attitudes toward accepting direction, allowing time and resources to be used in order to put proper controls in place. The next points will help you take a pulse check on culture and could be used for some due diligence prior to accepting a CISO role:

  • Risk appetite. What is the materiality threshold (minimum significant loss) for risk management? It is important to understand this so that you can properly ascertain the importance of the issues you will encounter and thereby know whether they require an FYI or escalation as an urgent matter.
  • Cultural norms and attitudes. Is the workforce dynamic, high rate of job turnover, low threshold of tolerance for change, autonomous? You would work with this kind of workforce and the culture it engenders much differently than a company with a “by the rule-book,” policy-driven bureaucracy. There is no “right” answer, but you need to know how people receive security direction; most people favor a “carrot” over a “stick”; it is a question of what kind of carrot.
  • Relevant regulations and statutes. You will need an inventory and at least a basic understanding of the way regulations and statutes affect information security. If the company is multinational, this requires an understanding of local jurisdictions, local statutes, and local regulations as well. Find the people who can share with you what they know about this area.
  • Influence and awareness of the “court of public opinion.” The court of public opinion is essentially a form of reputation risk and the impact that it can have on the organization. A decision about security, such as fixing a security bug in an online application, may not be governed by specific laws, but it could definitely create the perception of poor security practices in a way that influences other security issues that the company may have in the public eye. This area may be a major influence for highly visible companies, or less of a concern for others.
  • Influence of risk to reputation. With consumer confidence at an all-time low for Internet security, this is an element of the company's risk profile that it is essential to define explicitly as much as possible. Would the company go so far as to achieve full transparency of its security controls and privacy statements as an approach to building trust as a competitive advantage? Or is it willing to take more reputation risk by obscuring the privacy statement because the security controls are not quite what they should be? As you discover security issues, knowing the company's posture relative to transparency and associated reputation risk will be useful to determine what to escalate.
  • Who else manages various aspects of risk? Make it a point to build and maintain an active network of peers in these areas:
    • Financial
    • Legal
    • Corporate strategy and planning
    • Marketing
    • Other areas of security (consulting, product, customer support)
  • How is your role seen in relationship to those managers? Who else should you be talking to? Keep asking the questions.

65.5.3 Alliance with Corporate and Outside Counsel.

There are a few roles that merit special mention. Corporate counsel and outside counsel are becoming increasingly interdependent with the information security team. Historically, company policy, investigations, contracts, and incidents have all (or should be) coordinated with counsel. New developments in records management, e-discovery, third-party management, privacy, and case law relating to information security breaches and losses have created a new role for counsel in defining protection of consumer and employee data and company IP. Counsel will be necessary to navigate the rule of law as it pertains to information, information systems, and associated business practices. This is an organization with which the CISO needs to be close.

65.5.4 Partnership with Internal Audit.

While it is not uncommon to find IT personnel who assume that what audit does not know cannot hurt them, this attitude is a grave mistake. Internal audit is another special relationship for the CISO. A close IT-audit partnership is essential for these key reasons, and it should be the responsibility of the CISO to ensure that this partnership is in place and working smoothly:

  • The rules for standard of care require demonstration that the controls are working effectively as designed. There is no better organization to provide clarity on what that entails than internal audit.
  • Internal audit can collaborate with information security on the standard of care monitoring and reporting, thus effectively extending information protection resources.
  • The CISO is accountable to ensure that control processes and policies that pertain are in place and working well. Internal audit should have full access to information security processes to ensure compliance and to provide independent assurance against potential conflict of interest.
  • By cultivating a close partnership (yet maintaining the arm's-length relationship), the CISO and an organization can exchange information, set priorities for the audit and security improvement programs, and provide support for each other on core issues to escalate.

65.5.5 Tension with IT.

Many CISOs report to IT, and therein lies a potential for conflict of interest, or the appearance of conflict of interest. This is an area of increasing concern. The issue resides with the CISO needing to identify the security concerns and strategies for the company, including scope that extends beyond IT control, but doing so may be perceived as reflecting poorly on the IT management chain. Also, having a CISO report to the CIO creates an impression that the CISO is the IT security manager. Further, IT budgets are often calculated on the basis of run rates, assuming that it is an operational utility. Funding all the security effort out of an IT budget is a mismatch in two ways: Security is not a run-rate type of function, and taking what amounts to 10 percent or more of the IT budget for security is generally a significant hardship on other parts of IT that are critical to the business.

To address the conflict of interest concern, one could move the CISO role out of IT and have it reporting at the CFO, COO, or CEO level. The CISO in this regard would be a peer of the CIO. This has an advantage of removing the conflict of interest and the impression of IT security manager, but it also introduces the possibility of the CISO losing touch with the IT organization. Another alternative, if the CISO reports to the CIO, is to establish the governance structure and provide dotted-line relationships to the senior leadership on the governance board. Internal audit can monitor the relationships and processes to ensure that conflicts of interest are not developing. Politics being what they generally are, the latter choice seems the most difficult to implement well.

65.5.6 Organizational Structure.

Organizational structure for the CISO will, of course, be heavily influenced by the company. We have already discussed some independent factors that argue against the CISO reporting to the CIO. Companies are moving away from the traditional model of having the senior information security manager, or in some cases CISO, report directly to the CIO, opting instead to have the CISO report to the CEO, COO, or, in some cases, the CFO. In addition, a cross-functional, dotted-line relationship to key stakeholders may be required for adequate reporting and oversight.19

Aside from the question of to whom should the CISO report, what should the CISO manage? How should that be structured? The CISO's role as an executive should be focused on governance, policy management, and compliance monitoring and reporting. The CISO should establish parameters for IT security operations, information security investigations, forensics and incident handing, identity and access management, business continuance, records management and e-discovery but need not necessarily handle the day-to-day oversight of those functions. The CISO could also be responsible for physical security and executive protection or have oversight of those roles with other security managers.20 The role has grown to become more than any single person can track if all these functions report directly to the CISO. It is incumbent upon the CISO to set the strategy and the structure for all these related security functions and to monitor their progress against predefined performance objectives.

65.5.7 Responsibilities and Opportunities outside of CISO Internal Responsibilities.

In this chapter, we have described CISOs as change agents and strategists, adopting a standard of care, and strategies that implement that standard of care, and that demonstrate due diligence to it. Such individuals have much to contribute to the profession, to the community at large, to the technical community, and even to the definitions being established by governing bodies at the local, state, federal, and international levels.

It would be unreasonable to try to prescribe what CISOs should do outside of their direct internal responsibilities. Suffice it to say that CISOs should subscribe to a professional ethic to share what they have experienced, to codify security practice, and to bring about a better understanding of the problem space, so that defined problems can be solved with best practices that ultimately become standard protocols. Make it a practice to participate in professional organizations, to write, and to speak to community, professional, and trade organizations. Get the word out. Work to eliminate confusion. Define the role. There is much at stake for those who choose to wear this mantle—in the words of Theodore Roosevelt, “It behooves every man to remember that the work of the critic is of altogether secondary importance, and that in the end, progress is accomplished by the man who does things.”

65.6 CONCLUDING REMARKS.

CISOs are strategic, executive agents of change for the protection of information that is the lifeblood of critical infrastructures and private enterprise. The realm of disciplines that CISOs must manage is expanding as the scope of security has broadened—an interdisciplinary approach that involves all aspects of the business to provide digital, physical and personnel security is required with input from vital stakeholders.21

This role is different from that of technical security management in the near past, and involves tools that are different. The complexity and sheer insecurity of the inter-connected ecosystem requires that we adopt a standard of care and that we be able to demonstrate due diligence to that standard of care—this is the mission of CISOs.

CISOs to be successful, depend on strong governance, roles and responsibilities, management accountability, and strong reporting practices (including monitoring, metrics, and executive visibility) to be successful. CISOs would necessarily provide oversight, direct or indirect, of functional roles such as technical security management functions.

CISOs are a rare breed and need to make their contributions to their respective organizations as well as to the larger set of professional, community, and industry groups that need guidance, clarity, and judgment in their movement forward to a trusted, interconnected ecosystem.

The challenge is huge—that is why CISOs like it. It is ever-changing, touches every part of business and technology, and is ultimately a people job. It is a very difficult job and, under the right circumstances, is a very rewarding one. It is a high position of trust and responsibility, and it finally has come into its own.

65.7 NOTES

1. Thomas L. Friedman, The World Is Flat: A Brief History of the Twenty-First Century (New York: Farrar, Straus and Giroux, 2005).

2. Eugene Spafford, “Information Security: Insanity Rules,” AusCERT2006, AusCERT, Royal Pines Resort, Gold Coast, Australia, May 24, 2006.

3. Larry Greenemeier, “VA Had Many Security Warnings before Its 26.5 Million-Person Breach,” Information Week, www.informationweek.com/news/showArticle.jhtml?articleID=188500807&subSection=All+Stories.

4. P. Colgan, “New Zealand Not for Sale: eBay,” News.com.au, May 12, 2006, www.news.com.au/story/0,10117,19112037-29277,00.html.

5. Bank for International Settlements, “Basel II: Revised International Capital Frame-work.” (2006), ww.bis.org/publ/bcbsca.htm.

6. Scott Berinato, with Lorraine Cosgrove Ware, “Six Secrets of Highly Secure Organizations,” CIO Magazine, September 15, 1005; http://findarticles.com/p/articles/mi_kmcio/is_200409/ai_n6833335.

7. P. Condit, Keynote Speech, International Information Integrity Institute Forum 25, The Boeing Company, Seattle, WA (January 1995).

8. United States, Office of the National Counter-intelligence Executive, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage—2004 (Washington, DC: ONCIX, 2005).

9. Donn Parker, “Making the Case for Replacing Risk-Based Security,” ISSA Journal (May 2001): 6–10.

10. P. Schwartz, The Art of the Long View: Planning for the Future in an Uncertain World (New York: Doubleday, 1991).

11. P. W. Parfomak, “Guarding America: Security Guards and U.S. Critical Infrastructure Protection,” Congressional Research Service Report for Congress, November 12, 2004, Order Code RL32670; http://ftp.fas.org/sgp/crs/RL32670.pdf.

12. Parker, “Making the Case for Replacing Risk-Based Security.”

13. Ian Davis and Elizabeth Stephenson. “Ten Trends to Watch in 2006,” McKinsey Quarterly, www.mckinseyquarterly.com/article_page.aspx?ar=1734&L2=18&L3=30.

14. 498. S.W. 2d 388, 391.

15. The concept of materiality threshold is widely used in accounting. For example, see the “Accounting Terminology Guide” from the New York State Society of CPAs, www.nysscpa.org/proLlibrary/guide.htm.

16. Booz Allen Hamilton, “Convergence of Enterprise Security Organizations,” ASIS (Alliance for Enterprise Security Risk Management) International, November 8, 2005; www.asisonline.org/newsroom/alliance.pdf.

17. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5th ed. (Emeryville, CA: McGraw-Hill Osborne, 2005).

18. Niccolo Machiavelli, The Prince (1513), Chapter VI, Para 5.

19. Berinato with Cosgrove Ware, “Six Secrets of Highly Secure Organizations.”

20. See, for example, Fran Howarth, “The Convergence of Physical and IT Security,” IT-Director.com, September 11, 2006, www.it-director.com/business/regulation/content.php?cid=8743.

21. Friedman, The World Is Flat.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.40.189