Repositioning the CISO

Oct. 27, 2008

The position of CISO is relatively new. It came into being in response to federal regulations, the burgeoning security industry, and the ever-increasing cyber-threats facing the modern enterprise. The CISO is responsible for establishing a credible economic basis for information security investments, assessing corporate risk as it relates to information security, and effectively communicating his or her findings to corporate executives. But many CISOs seem to be struggling in the position. This is due to several factors, some structural and some cultural.

Problem: Organizational Roadblocks
Most organizations view the CISO not as a security and risk manager, but as a manager of security assets, like firewalls, intrusion detection/prevention systems, and incident response capabilities. According to the 2004 CSO Security Sensor Survey, 38% of respondents place the CISO in the IT chain of command, reporting to the CIO, whose primary responsibility is to maintain the availability of information systems. This placement hinders the CISO's effectiveness and limits his or her ability to implement change, for a couple of reasons.

  • Security's message doesn't reach senior business leadership. In part, this is because the CIO's primary responsibility is to maintain the availability of information systems. When the CISO reports to the CIO, a primacy is established. Security loses out to availability.
  • Operational responsibilities take priority over strategic planning. Particularly when threats may cause business disruption, tactical issues take precedence over longer-term planning. It is easier to buy and implement firewalls and intrusion detection systems than to develop security policies and implement a sound awareness program. Without long-term planning, the organization will remain trapped in the patch-and-pray scenario.

Solution: Move the CISO Out of IT
The Federal Financial Institutions Examination Council (FFIEC), an interagency body that prescribes uniform principles and standards for the federal examination of financial institutions, has developed the following guideline:

"Ideally, the institution should separate the information security program management from the daily security duties required in IT operations. The senior information security officer should be an 'enterprise' risk manager rather than a production resource devoted to IT operations. To ensure independence, the information security officer should report directly to the board or senior management rather than through the IT department" (FFIEC Information Technology Examination Handbook). Firms who take this approach will realize new benefits from their CISOs.

IT-independent CISOs can frame security in terms of business issues rather than IT projects. A traditional security manager's explanation of the recent ChoicePoint fraud case might sound like this: "The server's verification and authentication processes for the client Web portal were ineffective, thereby facilitating fraudulent access to sensitive back-end systems and personally identifiable data." When framed in terms of business issues: "The trust model used by ChoicePoint failed in such a way as to compromise the company's most vital assets." A trust model establishes the standards by which an organization determines who to trust with its assets.

Organizations have several options as to how to reposition the CISO. They can combine information security with physical security and elevate the senior security officer to CSO, reporting directly to the CEO. The CSO Security Sensor Survey indicates that 34% of its respondents have implemented this change, up 15% from the previous year. By combining physical and cyber security under one executive, the organization gains a holistic view of potential threats and the associated vulnerabilities.

Elevating the chief security executive to CRO-chief risk officer-makes sense in medium to small enterprises where key executives often assume multiple roles. The benefit in this approach is that the CRO considers areas of risk beyond those dealt with by a CSO or CISO.

Problem: Where's the ROSI?
A second compelling reason for many CISOs' lack of success is their inability to establish a credible economic basis for security investments and to assess information security relative to business initiatives.

Much has been said about return on security investment (ROSI) and security metrics. At first glance, metrics seem to be the Yellow Brick Road to the boardroom. However, the CSO Security Sensor Survey reported that 34% of respondents did not use ROSI and had no intention to do so.

The problem with ROSI is that its components are too subjective. Right now, there is no standard, statistically valid method of measuring ROSI. Some CISOs are using "homemade" formulas to calculate ROSI, but without sound standards and appropriate rigor, these calculations are not worth the time it takes to create them.

Solution: Use a Standard, Valid, Reliable Metric
Be cautious of traditional security metrics, such as "total number of incidents reported." When you add more firewalls, the number of incidents reported goes up, not down. The ideal security metric should be:

  • Quantifiable-Using quantitative scoring rather than pass/fail
  • Valid-Statistically sound
  • Verifiable-An independent third party should arrive at the same result
  • Meaningful-Of real value to the organization
  • Associative-Based upon a best practice or security model that enables comparison within the organization, within the industry, or across industries.

One way to achieve an associative metric is to use ISO-17799 as the template for your security program. ISO-17799 is a comprehensive set of controls utilizing the best practices in information security. This international standard:

  • Provides a blueprint for a comprehensive security program
  • Prescribes the order in which security elements should be implemented
  • Constitutes the use of a best practice
  • Provides a theoretical framework for comparing one organization's security program with another's

For additional information on using ISO-17799, visit www.iso.org. For a good read on combining ISO-17799 with a maturity model, check out Chapin and Akridge's How Can Security be Measured? published by the Information Systems Audit and Control Association in March 2005. If the CISO can escape the IT department and implement ISO-17799, he or she will be better positioned to initiate positive change in the organization.

Bob Wynn is the former CISO for the State of Georgia. His 20 years in the security field include experience in senior security management, infrastructure protection, computer crime investigations, policy writing, and achieving compliance with federal regulations. Mr. Wynn is an instructor at the FBI National Academy in Quantico, VA.