Let’s come up with a slightly different description for CISO – one that more accurately describes the relationship that the position should have with a Board of Directors. In most cases, a Board does not have the knowledge nor the strategy to maintain an effective security risk profile. Modern security is a matter of continuous improvement and very agile response – something that a Board may sit too high to accommodate on its own. This is where the CISO comes in.
In relation to a Board of Directors, the CISO must stand for Central Intelligence for Security Operations – more than just an “officer.”
With this new acronym in mind, here are new features of the CISO position that all companies might consider.
If the CISO is thought of as an intelligence hub, the Board of Directors should be eagerly awaiting updates on a continuous basis, not just once a quarter or once a period. Regular communication in the modern business landscape does not mean what it did in the past. Security risks occur with more frequency today, and there should be regular communication in all levels of an organization to quell these types of threats. The CISO may be responsible for organizing meetings, but it is also up to the Board to take these meetings seriously, even if there are no imminent threats to report.
Any central intelligence structure worth its salt has a user interface that is easily accessible to all appropriate parties. Security operations within a company should be no different. Continuous improvement does not mean that all parties have to physically meet every day to keep security threats under control. Proper communication can be cultivated more readily through an accessible set of tools and reporting. Questions are answered in a more timely manner, the organization is made aware of problems more quickly, and information is organized in a way that is easily translated to professionals of any discipline. Companies such as Intrinium are geared towards precisely this kind of organization, giving a company a full scale security solution for less than the price of a single in house professional. If a company does not have the means to properly organize its own security data, outsourcing the CISO position should definitely be on the table.
The business impact of all security decisions should be transparent across the organization. If the CISO is corresponding with the Board on a regular basis, there is very little chance to hide information that could become important later. The sooner that security risks are made public, the sooner that all available resources can be consolidated towards a solution. This method also relieves individual departments of taking individual blame that might keep it from reporting a breach.
The Board of Directors has a measure of responsibility as well. It is difficult for the CISO to do their job without the support of executives and lead management. The Board must support the CISO position in preventive measures that may not show an immediate return. The best security technique is prevention, but like insurance, many people do not want it until it is too late.
Although when polled, many Boards foresee security as a top priority in terms of risk over the next 12 months, those Boards must do what it takes to put those risks to bed. Full support of the CISO position in its new capacity as a Central Intelligence hub for all Security Operations within an organization is key to success.