Chief information security officers (CISOs) who want to remain their firm's most senior security and risk executive need to rethink the security organization's roles and responsibilities, top priorities and initiatives, and the services and value it delivers to the business. They must also re-examine the individual skills the security organization offers, and embrace a fundamental redesign of security architecture and processes. In short, the CISO needs to reinvent himself as a chief business security officer (CBSO).
The CBSO role is a call to arms for security professionals.
Why is an act of reinvention necessary? Because it's a pathetic cliché, but true nevertheless: The business still views the security organization as a paranoid custodian blocking progress and innovation. We spoke with one expert consultant who routinely hears board members from some of his largest clients express frustration with the information security function. "Many top executives have had poor relationships with CISOs in the past, and that continues to shape their perceptions today. They see people in the [information security] profession as technologists, not equals. The No. 1 complaint from the board is that they are stuck dealing with very complex and technical people," he said.
In fact, business leaders at many firms have become so frustrated with their CISOs that they've unilaterally created a separate position -- often named vice president of IT risk or business information security officer. Employees filling this position are supposed to understand business requirements and feed them back to the CISO -- who then is responsible only for operational execution.
In reinventing themselves as CBSOs who can reunite this fracturing of business objectives and IT, CISOs have to make it a priority to add business and consultative skills to their technical expertise. This will help ensure that the business engages with them early in any business or IT initiative, rather than after the fact. Early engagement allows the business to accelerate initiatives without fear that it's ignoring regulatory or privacy risks. It also continues the transformation of security -- begun years ago but never quite finished -- from policy cop to business enabler. To deliver on this promise, would-be CBSOs must:
• Ensure traceable alignment between business and security objectives. It's critical to be able to show the relationship between the activities of the security organization and the business' goals and objectives. Thus, a CISO should start with the chairman's letter to shareholders in the firm's annual report, and show a direct, traceable alignment between those top business initiatives, the CIO's initiatives and his own initiatives. Forrester recommends that executive-level security metrics measure this strategic and functional alignment.
• Adopt more financial and risk management discipline. With increased awareness comes increased scrutiny, and CISOs need to develop the ability to prove economic value or return on strategic investment (ROSI). This means they should finally develop metrics that matter to the business and take a stab at demonstrating ROSI -- no matter how imperfect.
• Manage the security organization like a business within a business. With maturity comes increased accountability. Project and program management is an important discipline to infuse into all security projects. Assert the benefits the project will provide, then track the project from inception to deployment to prove those claims. CISOs who demonstrate they can manage budgets and deliver results will earn respect from senior executives.
More about security in the enterprise
• Use process improvement to do more with less. Security is a people, process and technology business. Forrester interviewed several successful CISOs who used revised processes to drive improvement across such core security activities as identity and access management, patch management, and employee screening. None of these improvements required additional investment.
• Devolve responsibilities for tactical security operations. To finally escape the reactionary hamster wheel, CISOs must devolve tactical responsibilities to IT operations professionals closer to line-of-business owners. This will free up their own time to focus on strategic initiatives (risk management, architecture redesign, and so forth).CISOs should look for opportunities to rightsource security functions and processes strategically to managed security service providers and the cloud.
• Rebalance skills within the security organization. The size of the security organization and its makeup will evolve toward a leaner organization comprising internal consultants and architects who define strategy, architecture and policy, and oversee devolved and outsourced security operations.
More than ever before, a CISO's focus should be upwards. Information risk is a business issue and the CISO's role is to enable those discussions and support sensible business decisions. The CBSO role is a call to arms for security professionals to develop their business and communication skills, selling value and support to their enterprise and, finally, after many false starts, breaking away from technology and the temptations of fear, uncertainty and doubt.
Stephanie Balaouras is a research director and Andrew Rose is a principal analyst at Forrester Research Inc., where they serve security and risk professionals. They will be speaking at Forrester's Security Forum in Las Vegas on May 24-25.