In part 1 and part 2 of this series, we examined the history of the CSO and various arguments as to where the CSO role should sit in the organization. Now let’s talk about how the “new” CSO plays a much bigger role in the overall C-suite and what skills a CSO requires.
Some large companies have the CSO listed as part of the company’s leadership team (Cisco and Oracle to name two) but this is not the norm in most organizations. To me, that implies that the company does not consider security essential to the business and the C-level governance of that business. Legal is essential. HR is essential. Finance, Marketing, and Sales are all essential. So why isn’t security?
It is interesting to note that business leaders run out as fast as they can to hire a CSO/CISO as soon as they get hit by a significant breach: RSA, Sony, Adobe and Target all followed this pattern. Obviously, this is a little backwards. But these kinds of events are causing business leaders to rethink how important security is to their business. I predict that they will eventually lead to the elevation of the CSO to the leadership team as a best practice.
I still believe the CSO should come up from the technical ranks. Today’s world is so complicated technically that if you do not have that background, you can be completely overwhelmed by the latest security trend. The true CSO skill that has to be learned, though, is how to translate that technical knowledge into something that a business leader will understand or care about.
Let’s look at the Heartbleed incident as an example. That vulnerability exposed many companies to a non-traditional hack-attack pattern. Without an understanding of the potential risk to that attack pattern, security people could not possibly translate the business risk to the company leadership.
In other words, the CEO does not care about how many machines have to be patched with the latest Microsoft Patch Tuesday release. He does care if the Microsoft Patch Tuesday release affects a key revenue-generating component to his business and should consider re-directing resources to this component in order to reduce the risk sooner than later. This business translation is often hard for techies. But it can and it must be done, and the CSO is the ideal person to do it.
In any organization, the security state evolves over time. There are security controls already in place that mitigate certain threats and there is a plan to implement other security controls to mitigate other threats.
For internal evangelism, I have found that it makes sense to explain the controls to the average employee at a very high level, explain what could happen if the control was not in place and demonstrate where the control was successful in preventing that scenario. That discussion makes it real and is not some abstract idea where the security guys make the employees do stuff for no apparent reason.
For external evangelism, it behooves all security practitioners to participate in the community sharing best practices that work and even things that have been tried but failed to produce the desired result. When you are trying to break new ground on a new security idea in your organization, it helps very much to say that other folks in the security community have also tried it with some success.
What should be required of a CSO in 2014 and over the next few years? Leave a comment below and let me know what you think.