What does it take to be an effective Chief Information Security Officer (CISO) in today’s era of massive data breaches?
Besides skin as thick as armour and proven experience in security, an effective CISO needs to hold the following qualities: a strong grasp of their security programme’s capabilities and of their adversaries; the business acumen to frame security challenges into business opportunities; an ability to effectively partner and communicate with stakeholders outside of the IT department, and an insatiable appetite to make data-driven decisions and to take smart risks
Data-driven demands
In order to be successful, today’s successful CISO needs data-driven insights. The business needs this too. Using data security intelligence software to leverage new insights will better equip the CISO and their teams to defend against misconfigurations, cyber-attacks and malicious insider threats.
Data-driven organisations are more profitable, more efficient, and more competitive. An effective CISO ensures the business has the data it needs without introducing undue risk.
> See also: How to communicate cyber risk to the board
Despite best efforts at threat modeling and security automation, security controls will never be perfect. Modern businesses require data agility, as attack surface areas and risks change quickly.
As data from beyond the firewall proliferates, ensuring that sensitive and confidential data is safe from exposure or a breach becomes an enormous task.
Data at rest isn’t valuable if the business can’t use it in a timely manner. Encrypted data may be safe from theft, but needs to be decrypted at some point to be useful for those using the data for predictive analytics.
Data’s relative risk of breach goes up as the number of connections, applications, and accounts that have access to the data also increases.
If you have two databases, each with the same millions of sensitive records in them, the system with more applications linked to it and privileged administrative accounts managing it is the one you should be focusing your security investments on. But you need a way to measure and manage your risk with accurate, timely intelligence.
Personal insight
As a CISO, my responsibility is to ensure that our brand is protected, that our customers, stakeholders, and employees trust our name – that we are trustworthy custodians of our customers’ most important data assets.
In order to do that, I need to have conviction about where our sensitive assets are, what threats and risks are relevant to them, and have a plan to keep them compliant and safe no matter where the data travels.
Modern security guidance like the SANS Critical Security Controls or NIST CyberSecurity Framework both start with 'know your assets', building an inventory and what’s most critical to your business.
Next, they advise you to form a strategy to monitor, protect, and re-assess relevant risks as the business evolves. In the age of agile development and security automation, continuous monitoring is replacing batch-mode assessments. Businesses move too fast to measure risk annually or once a quarter.
> See also: Wanted: a business-literate CISO to prevent the next target-sized breach
As my organisation has shifted to a cloud-first enterprise, and as our marketing function makes data-driven decisions for their customer experience initiatives, my teams ensure we are making data available to those who need it while adhering to international data privacy laws.
This task has become more challenging as the volume of data increases, is shared between targets, and as requirements become more stringent. As such, I need to ensure we are continuously developing our data security intelligence solutions to help manage these activities while making it easier to collaborate with other stakeholders.
Over time the CISO has evolved into a trusted advisor to the business, which now relies on their guidance to help take smart risks.
In business discussions the CISO provides a lens that focuses on technical threats, regulatory constraints, and business risks while ensuring that the business earns and maintains trust with customers. In order to be an effective CISO, it all comes down to the data.
Sourced from Bill Burns, CISO, Informatica