Roles of information security executives changing

June 5, 2012
New study finds CISOs are being tasked with more risk management responsibilities

The roles of CSOs and CISOs at corporations and government agencies have changed dramatically in recent years. Just as physical security managers have been charged with more than overseeing an organization’s access control and video surveillance measures, information security executives are now being asked to take on more risk management responsibilities.

According to a recent study conducted by Wisegate, a social networking membership body for senior IT professionals, nearly 100 percent of CISOs polled indicated that they have combined information security and risk management responsibilities. In addition, 40 percent of survey respondents said that they expected to see an increase in spending on security/risk management initiatives within their organizations.

The motivating factors driving increased risk management responsibilities for information security executives at organizations vary. When asked to cite their two primary drivers, the majority of survey respondents, 73 percent, said that general compliance requirements were one of the main reasons for the convergence, followed by the general threat landscape at 53 percent. Thirty-three percent said that their companies were doing it because it was the "right thing to do," 26 percent reported experiencing a "recent security close call without external reporting requirements" as a primary driver and 20 percent said they were making the move due to a "recent security incident requiring external notification."

About five years ago, Cox Communications CISO Phil Agcaoili said that he started seeing more conversations in the information security sector centered around risk management and the areas of risk that apply to an organization’s security team.

"In my time at two manufacturers… we really got the teams talking together and taking a look at areas around strategic risk, financial risk and operational risk, and for me, security plays a role in each area," Agcaoili said. "What’s interesting is how physical security leaders view security. It is different from information security leaders and different from folks that have cyber security, so physical, info and cyber are all kind of in this space where we are managing different kinds of risk."

Agcaoili said a prime example of how all these different areas of security merge together is when you take a look at supply chain security.

"Supply chain security is a dimension of cyber security," he explained. "You’re dealing with background checks for employees and partners; you’re talking about contract security and areas around defining service level agreements; you’re dealing with assurances of overall security and privacy and business relationships; you’re dealing with right to audit and assessment; and, supply chain also covers e-discovery and forensics, litigation support, investigations and intelligence services. In a way, they are all overlapping areas for CSOs and CISOs. Likewise, tracking down and mitigating these risks through people, processes and technology that encapsulates a holistic security protection and safety strategy… it involves all security teams and you have to have varying capacities and the support of executive sponsorship and operational teams with the experience and the ability to cover the entire field. All of these groups have to work together, so a partnership has to be built to cover all of these areas."

Brown University CISO David Sherry said that he’s also seen his role as a security executive evolve towards risk management with additional responsibilities.

"As privacy and compliance continue to gain importance in the success of an enterprise, and with some hesitancy of adding senior head count, assigning responsibilities to the security executive is a sound business model," Sherry explained. "With this, I have seen my responsibilities to now include privacy and its related functions and regulations, compliance with regularity mandates and external entities, and a deeper role in legal discussions.  All of these give me a closer role with the chief risk officer, in addition to the CIO.  Lastly, as an institution of higher education, I’ve assumed a greater role and influence with the internal boards who oversee compliance with grants and research data protections."

Agcaoili characterized the transition to this overall risk management approach as "iterative" and said that there are industry frameworks in place from organizations such as the National Institute of Standards and Technology (NIST) to help security managers with the process and many have been around for a number of years.

Additionally, Agcaoili said that CISOs share some "DNA" with physical security leaders when it comes to cyber security, which has become a paramount issue for many organizations.

"I think cyber is front and center today in the hearts and minds of our government, our government leaders and many CEOs," he said. "My company is part of the critical infrastructure for the U.S., so cyber is a very important area for us and I’m responsible for that."

Though the transition to the risk-based security model has been demanding on his time and prioritization, Sherry said that it has been an overall positive experience for him.

"As a security manager I have brought a different skillset and experience to the table, identifying both risks and their solutions in a way that may not have been seen in the former structure," he said. "I think that it has also enabled the mission of security to take some additional spotlight, so that has been an unexpected fringe benefit to taking on more responsibility.  I also can begin to see solutions that are more holistic in nature, and support the establishment of processes that can satisfy differently risk and compliance concerns in several different areas." 

While one of the common complaints among both information and physical security managers is getting senior management to approve spending money on security projects, Agcaoili said that that has not been an issue at his company.

"We have a consistent plan and we communicate that to our leaders and we base it off risk. Our leaders have a lot of information to know what our high priority areas are for us," he explained. "We have to define what we do, we have to measure what we do, we have to continue to improve what we do and then enable our leadership to decide how much they need. Providing that all in the context of risk in a risk-based framework, I think it simplifies communicating with leadership on key areas that we have to invest in."

Sherry advises those looking to get approval for security funding from upper management to use "patience, time, persuasion and reason" to get them to understand why changes or upgrades in security operations are necessary.

"This is not an area to use the former triad of fear, uncertainly and doubt.  Using sound business reasoning, establishing and achieving small benchmarks, and always putting the organization first in your thinking is paramount," Sherry said. "Also, some of the solutions for risk management, be it software or consulting, can be costly.  Establishing a roadmap with realistic and responsible budget requests can indicate to the senior board sound financial thinking, and a program that will grow and mature.  Finally, while I do not wish a major event on anyone, if the enterprise does have a negative event, take advantage of the focus and seek the finances to ensure it doesn’t happen again."

Having to take on more risk management responsibilities has also helped Sherry when it comes to the convergence of physical and information security.

"When speaking solely as a security executive there may be some hesitation from physical security to form the correct partnership.  However, when addressing their concerns, areas of improvement or strategic projects in the light of lowering the risk of the enterprise, there is more openness to talk," he explained.  "It has also helped to form the bridge of cooperation between physical and logical security.  In the past, security may have been seen as a group that was intruding into their mission, or even worse, saying no to their ideas.  But when the security executive proves to them that he or she can securely enable their processes and lower the risk to the enterprise, they are more willing to participate."

One of the challenges of this transition for security managers, however, is the scope, according to Sherry.  

"The increasing responsibilities can sometimes impact the focus that is necessary in the day-to-day security function.  Also, establishing the credibility of the new function is something that must be overcome confidently and quickly," he said.  "I have also seen some pushback from the security function itself, as some of the technical operations may not see the need for the risk-based methodology.  The function needs to be implemented iteratively, beginning with a board-level mandate, wide publicity, seed financing to establish base level solutions, and the celebration of documented success.  I have also witnessed the powerful tool of a high-level and cross-functional committee that I chair that meets quarterly on all things security, risk, privacy, and compliance." 

Among the benefits of moving to a risk-based model, according to Agcaoili, include being able to define your risks, prioritize them and structure your security roadmap. For those in the process or are thinking about moving to a risk-based security management model, Agcaoili advises looking over the aforementioned frameworks and having conversations with industry peers to learn how they’ve made similar transitions.

"Interacting with others that have applied those frameworks has given me a forum and a network of other people that I can share ideas with and say 'hey, this is how we have applied it, how have you applied it and how did it work for you?' and the dialogue begins," he added. "For me and the other leaders in information security, we’ve all been working together for the last half-decade to evolve and grow and share. My approach is battle-hardened on the job, but it is also battle-hardened with my peers."