Feeds

Step forward the chief information security officer

Leader of the pack

5 things you didn’t know about cloud backup

What does the modern chief information security officer (Ciso) look like? The role used to be little more than acting as a glorified sysadmin but things have changed.

These days, Cisos must be all-rounders, concentrating not just on technology but on business too.

“In recent years, the role of the Ciso has become more business and risk focused," says Adrian Davies, principal analyst for the Internet Security Foundation (ISF).

Cisos have to contend not only with tasks such as project management, but also cost-benefit analysis and stakeholder engagement.

It is difficult to find technology experts who are also astute in these areas, which is why single, well-rounded Cisos are so valuable. The alternative is to team up a business-focused Ciso with technical experts who can fill in the gaps, in the same way that chief executives often need chief operating officers to help bolster their capabilities.

Davis argues that the low cost of opportunity afforded by cloud computing has made the modern Ciso’s job harder. Any employee with a company credit card can now access a cloud-based resource, often without management even knowing about it.

Call a plumber

Signing up for your own online customer relationship management service and uploading a spreadsheet of customer data to an insecure web application is one way that data can leak out from the edges of an organisation, under the Ciso’s nose.

As these risks proliferate, mapping business risk to information technology risk becomes increasingly important and should be considered a foundational skill on the Ciso's part.

That involves talking to people in different roles. The risks faced by the head of human resources are different to those faced by the accounting department or the chief marketing officer. The Ciso must represent everyone and be able to appreciate all perspectives.

This role also involves understanding and absorbing the needs of the broader employee base.

John Colley, Managing Director (ISC)squared EMEA, calls for counter-intelligence to avert these unwitting security risks. Not, as he puts it, to slap wrists but rather to break down barriers.

Knowing me, knowing you

In many organisations, one critical security risk occurs when users start circumventing the IT framework to get the job done. Colley suggests focusing on what users need and finding the technology that would help them to achieve their goals.

“The ISF believes there is a need for top management to be more embedded in the business, and trying new things such as simply walking the floor and talking to people," he says.

Good governance is not always present in information security

Davis says governance is also an important aspect. “When the security function adopts governance, it leads to better engagement with senior executives, helping to foster better understanding, minimise risk and limit reputation damage," he says.

However, he adds that good governance is not always present in information security.

“Cisos can help their cause by taking a government approach, allowing them to demonstrate to stakeholders – customers, partners, shareholders and regulators – that corporate data is being protected according to industry best practice," he says.

Increasingly, Cisos have to exhibit leadership qualities. They must listen and gather intelligence from a broad base of individuals. They must set the direction for a broad security effort and get others aligned behind their vision.

But there is one subtler challenge for the modern Ciso.

Parting of the ways

Inevitably, the business will find itself heading in a different direction. It may wish to roll out a service or product, or expand a particular operation, without being sure of the risks or security consequences. It may want to play down negative results from an internal security audit in case they adversely affect negotiations with a client.

The true challenge for Cisos is fulfilling their mandate in the face of resistance. They must ask the difficult questions and make the unpopular suggestions that will keep the company on the right track.

Do you have the cojones to speak up in the boardroom when the chief executive wants you to say something different? ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?