Interview with a CISO—the White Rabbit meets a vampire and zombie-killer!

Several years ago, I saw the movie “Interview with the Vampire.” I don’t know about you, but that movie really haunted me afterward. Amazingly, I know many people who are haunted by their chief information security officers. After all, these folks are trying to prevent vampires and zombies from creeping into their enterprise network. Now, I do know from firsthand experience that CISOs and their teams do not use garlic, crosses or even stakes to protect their networks. In fact, even at a distance, they don’t smell especially offensive.

 

So given my personal aversion to vampires and zombies, my first question in my interview of a CISO was: “What keeps you up at night?” I was told with great detail that it is the threat of a “Sony-class” breach. For those who are not aware, this type of breach not only impacts corporate brand, but it can result in 10 years of government monitoring. Pretty scary stuff, if I say so myself.

 

One of the things that I found amazing is the level of business access and involvement that CISOs have. Not only do they regularly meet with the global CIO, but they also interact with legal, privacy and even key business executives.

At this point, I asked about the tools of the craft—this time, I was truly not expecting to hear garlic, crosses and stakes. I was told that, historically, security organizations developed and used a set of homegrown tools. But, the security folks are finding the bad guys are getting smarter and smarter.

 

In this environment, the CISO has needed to get closer and closer to business leadership. After all, security is another element of business risk. CISOs need to determine what risk level their business is willing to accept. This includes determining appropriate control mechanisms. Clearly, the threat landscape has gotten stealthier and even more difficult to catch. Today, “We are dealing with advanced persistent threats,” according to the CISO.

 

To respond to the raised threat level, this CISO has chosen to move to industry-standard, risk-based methodologies—ISO 2700 and MIST 8453. He is even looking at COBIT 5 and its continual improvement concepts for security. Nevertheless, he said that MIST requires conscious choices; not everything is applicable to every organization. You need to determine with your business stakeholders (no, they aren’t the people holding stakes) what is important, and, in some cases, what is more important.

 

Clearly, CISOs needs to choose from among risk management approaches. At the same time, they need to demonstrate to business and IT leadership they can measure, manage and improve security. Their foremost goal, according to COBIT 5, should be to keep the impact and occurrence of information security incidents within their enterprise’s appetite level. Doing this starts by putting in place a system that effectively addresses enterprise information security requirements. Next, they need to ensure their plan is not only accepted, but also effectively communicated throughout the enterprise. And finally, they need to ensure that information security solutions are implemented and operated consistently throughout the enterprise. Doing these things clearly makes the world—and CISOs in particular—not so scary.

 

 Related links:

Solution page: HP Security Management

Twitter: @MylesSuer

Comments
HeatherMackey | ‎05-16-2013 02:46 PM

Great article, Myles! Makes complete sense that the CISO is getting closer to business leadership.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product ...


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation