Chief Information Security Officer Must Create Credibility In Role; Run Information Security like a BusinessA new chief information security officer should approach their role determined to make a difference to the business they are supporting. This advice comes from someone who knows how to make a difference, Steve Katz, who was the first Chief Information Security Officer (CISO) of a major financial institution, Citigroup, back in the mid 1990s. "There is not a better, more exciting more uplifting career that you could possibly have than the one you have in information security," Katz said, making the information security career path an easy choice. He added, "the people who do information security for a living are dedicated, committed and generally passionate about what they do, and they recognize that they are making a difference."
His first advice to the newly appointed CISOs: "I think if somebody is moved into that role, recognize first that you are in that role to make a difference to the business you are supporting. You are also in that role to put together a 'business within a business.' Technology is just one component."
Katz recommends that CISOs balance the people, process and technology. "You have to make a reality in what you do. It's a three-legged stool - and you have to balance the people, process and technology. You cannot have any tool without the third."
He noted these important things must be focused on: "Recognize that you are running a business within a business. Your role as the head of security - in addition to everything else you might be doing - is to be the chief security evangelist of the corporation, to make sure that you go out and meet with the business heads with various levels within the corporation so that - and create a level of credibility with them so that when a request comes through, or an answer comes through, they will be able to turn around and say, 'Gee, I know that person and he's pretty rational. I'm not sure he said that, or if he said that or she said that, there must be a reason for it.'"
Katz sees every CISO as the CEO of their mini corporation called information security or technology risk. "As the CEO, put together a set of metrics that allow you to forecast results on a month-to-month basis. Translate those results, measure actuals to forecast, and have a really good process for analysis. Learn to put together a two-year rolling plan where you are taking a look at your forecasting further out, but you're always looking two years out so that your eye never comes off the ball. It's that old clichÃ© of, 'security is a journey, not a destination.' Just make sure you recognize it as a journey, not a destination. You continue looking at targets, milestones and tasks two years out in comparing where you are."
The next step is, Katz said, to set up a really good security marketing program, or your security education training and awareness program. "Then you need a technology program to make sure that all the technological tools that are you need are in place. Then you use folks who can help you put together an open governance process which is the ability to have results and responsibilities go from the top of the corporation on down."
Put together an investigations and incident response program that really is the operations arm of your security area, he said. "Another possibility you will have within the security group is active control and administration. Make sure that you have people who are willing to get in there and work in the security operations area. You're looking at marketing, sales, finance, metrics, operations, and forensics and incident response."
Katz recommends CISOs run their departments like a business. "Your audience and your funders -- your board of directors, should be a security committee that is made of seasoned business executives from across the company. They are the ones who should be on your board." He reminded CISOs that those board members are the ones to whom you will be accountable to on reports. "They are the ones to whom you will present your results, and they are the ones who you will go to for funding."