In light of the new clairvoyance in many Board Rooms authorizing
management to hire a dedicated CISO, Operational Risk Management (ORM)
professionals have to smile. Some are even laughing out loud. Why?
The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's. Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states. Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.
So what are the attributes of the ideal CISO? If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search. What do they need to know and what do they need to understand about Information Security? What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?
The modern day CISO has certainly evolved since the early 2000 days. The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies. Now the modern day CISO has all of this as a baseline, yet so much more. The CISO today needs to really understand Operational Risk Management (ORM), more than ever.
You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone. Here are just a few of the categories the modern day CISO must have mastered:
The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers. They will be able to do this because they have a substantial grasp of enterprise business operations. They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business. The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?
It is because the title of the position includes the word, "Information." Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management. Risk mitigation. Risk avoidance. In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).
Information is a given. It is the lifeblood of the organization. Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information. Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization? Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)? Do they know how this ecosystem works and why their organization may be the target?
What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens? Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?
The CISO shall now become the CRO. The CRO shall be the master of Operational Risk Management (ORM). Information Security is a given for the future state. The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.
The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's. Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states. Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.
So what are the attributes of the ideal CISO? If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search. What do they need to know and what do they need to understand about Information Security? What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?
The modern day CISO has certainly evolved since the early 2000 days. The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies. Now the modern day CISO has all of this as a baseline, yet so much more. The CISO today needs to really understand Operational Risk Management (ORM), more than ever.
You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone. Here are just a few of the categories the modern day CISO must have mastered:
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers. They will be able to do this because they have a substantial grasp of enterprise business operations. They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business. The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?
It is because the title of the position includes the word, "Information." Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management. Risk mitigation. Risk avoidance. In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).
Information is a given. It is the lifeblood of the organization. Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information. Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization? Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)? Do they know how this ecosystem works and why their organization may be the target?
What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens? Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?
The CISO shall now become the CRO. The CRO shall be the master of Operational Risk Management (ORM). Information Security is a given for the future state. The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.