What is the information security triad? Just about everyone knows the answer to this question is CIA – Confidentiality, Integrity, and Availability. Security professionals, service providers, and technology vendors are responsible for these three infosec pillars in one way or another.
CISOs also take part of CIA oversight, but their responsibilities extend beyond confidentiality, integrity, and availability alone. In fact, the CISO role is changing rapidly and becoming so critical that these security executives deserve a cybersecurity triad of their own. The modern CISO triad equates to:
1. Security efficacy. In some ways, this requirement supports the status quo as CISOs have always been accountable for cyber defense. So what’s changed? Security efficacy used to be closely associated with risk management – identifying and quantifying risk, and then putting the right controls in place for risk mitigation. While CISOs still own this part of the job, they are increasingly tasked with putting up security fences as well as overseeing top-notch intelligence and emergency response agencies. These responsibilities require a vast improvement in internal and external security intelligence supported by intensification of specialized security analytics skills, which can be difficult to find. Finally, CISOs need to be able to translate geek speak and a cyber-gumshoe lexicon into business metrics.
2. Operational efficiency. In the past, CISOs tended to disregard security operations in favor of a dogmatic focus on security efficacy. This led to a best-of-breed security technology mentality, where organizations purchased the best email security, AV software, firewalls, and IDS/IPSs they could find. While well-intended, this strategy made mighty enterprise organizations dependent upon an army of point tools, manual processes, and a plethora of individual contributors from the IT security organization. This situation is not only an operational nightmare, but it also detracts from security efficacy as modern malware circumvents security defenses and “kill chain” phases are viewed as autonomous events. Modern CISOs hired over the past few years are in charge of supplanting this mess with a mix of coordinated processes, integrated technologies, organizational cooperation, and far more automation.
3. Business enablement. Some industry pundits have dumbed down this necessity with statements like: “Information security can no longer get in the way of the business.” That may be true, but it’s overly simplistic and not the point. CISOs are supposed to hold up a stop sign when the organization embarks on initiatives that exacerbate cyber risk, but this assumes that they understand the IT initiatives and business processes involved. Based upon cybersecurity history, this may be a bold supposition. Modern CISOs have to approach business enablement in two distinct ways: 1) Business process expertise, and 2) Cybersecurity services that can support business initiatives. The latter requirement could include a flexible infrastructure for Identity and Access Management IAM, flexible security services that are extensible to IaaS and SaaS infrastructure, fine-grained network access control policies/enforcement, and strong data security and enterprise Digital Rights Management eDRM. In aggregate, it’s not about holding back the business; it’s about enabling the business to be creative while constantly managing IT risk.
A few final observations:
The CISO triad could be used as a job description for any modern CISO job, at any organization, anywhere in the world. The problem is that there are very few candidates who have the right skills to oversee all three areas. Alarmingly, the pool of qualified candidates may actually be decreasing as the current generation of CISOs with years of on-the-job training starts to retire.
Finally, I speak to hundreds of cybersecurity technology service providers and vendors each year, and I can honestly say that very few of these firms really understand what CISOs do. Until this situation is rectified, there will likely be a continuing mismatch between cybersecurity innovation and products/services that actually help CISOs accomplish their mission.