Q&A: What Makes a Good Chief Information Security Officer?

To succeed, a chief information security officer needs project management skills, business process expertise, a budget, and authority—and an aptitude for diplomacy.

What makes a good chief information security officer (CISO)?

By 2008, estimates Gartner, 65 percent of the largest 2000 companies in the world will have a CISO to centrally manage security. Experts say CISOs will increasingly need to manage day-to-day security as well as its strategic business use.

What can help CISOs succeed? To find out, we spoke with Somesh Singh, general manager of BMC Software’s identity management business unit, who has over 20 years experience working with CIOs, CSOs, and CISOs.

When did CISOs really start to appear?

In the mid-1990s, when the Internet first came on the scene, and there was all this concern about unwanted people hacking into the network. The focus [was]: how do you protect your perimeter, and how do you make sure nothing bad happens to the network?

Has the role evolved more recently?

Over the last four to five years, things have changed dramatically, from a [sentry] role to being a business [enabler]. Those CISOs who have morphed into business enablement agents, and who see their role not only as protecting their enterprise from outside threats but also determining how their organization can securely expand their perimeter, and also expand the boundary by allowing customers and partners to collaborate in a secure manner, and also doing an internal [look] to ensure employees are doing things in a secure and regulatory-complaint manner … they’re the [successful] ones.

Does the CISO evolution parallel how CIOs evolved—from overseeing technology to contributing a more strategic vision?

It is parallel to that, but CISOs have to climb a steeper path, because unlike CIOs, they have not been around for a very long time.

Where do CISOs operate in most organizational structures today?

In most companies where a CISO position is defined, they report to CIOs. … But some organizations don’t even have a CISO; a senior vice president acts in that role.

Do CISOs tend to be external hires, or internal promotions?

From what I’ve seen, this role is typically going to continue to be an internal role.

Why are most CISOs promoted from within an organization?

Stepping back, just look at identity management—one of the fastest growing [security-related] areas—[which is] basically ensuring the right people have access to the right things, that you’re able to quickly run reports, connect people to the right applications, [and so on].

Well, this kind of discipline requires two things: a very strong understanding of business processes and very strong project management skills. [T]he project can become very complicated … and if you don’t understand the processes, things can get out of control. … Now the project management skills can be hired from outside quite easily, but somebody who understands the company’s business processes deeply enough … is harder to find.

The trend is going to be for CIOs to promote people from within their enterprise who demonstrate these two skills … [and also] the ability to partner with various business leaders, because these projects tend to cut across a lot of business lines. So to recap, I’d say [CISOs need] diplomacy skills—the ability to partner with business units—[plus] very strong project management skills, and an understanding of the business processes of the company itself.

How have regulations affected the CISO role?

With HIPAA and Sarbanes-Oxley and other regulations, they’ve forced people to think in terms of business processes, and how various business services are managed. So … that has created even more pressure on CIOs, and by implication CISOs, to ensure they have business processes defined, that they have identity management processes defined, that they have internal processes defined … [and] that reports can be generated.

Are there common ways companies don’t effectively support their CISOs?

What people really fall short on is making these roles effective. I’ve seen … several companies … pull one or two people out from their organization and make them CISOs, without budget authority and without real organizational weight behind them. These folks become internal consultants, and in that form, I’ve seen them struggle quite a bit. Typically this happens in companies where the organizational side is very strong and the application development and deployment side is [also] very strong. And they have a difficult time.

How do you fix a problem like this—by getting executives to step in?

Exactly, and I think as in most cases, when you have the right [CISO] candidate, and the right sponsorship to give this candidate backing … things move forward. If you instead give people big titles but very little budget to do things, it’s just a model for failure. I mean it seems obvious when you say it that way, yet oftentimes it doesn’t get done.

What then do CISOs oversee today? For example, would they be in charge of a company’s identity management initiative?

Right now, the great majority of them tend to keep great oversight of [identity management], but I think over the next two to three years, there would be so much embedding of regulatory compliance and policy management with identity management and process management that I’m sure the business units themselves would want to do many of these things. It won’t go back to where it used to be; a lot of vendors like BMC are working on next-generation applications where more and more things are delegated, [where] they are self-service. …

Applications are becoming so advanced that more people can administer [things] from their own desktop, so there just becomes the need for a smaller, central group that handles [related security]. …

In our own—in BMC’s—strategy, I don’t know if you’ve seen this, but we call it business services management, and that really parallels what we’ve been talking about. Because our thrust has really been, instead of managing particular IT elements like servers and business applications, companies should be focusing on services you provide to your customers.

What benefit is there from talking “business services” instead of “information security”?

Instead of talking about security, you talk about: are you helping your business services in a better, more secure way? Are we at a good compliance posture at any point in time, do you have business agility? Those kinds of things. And that just dramatically changes the role and perspective of the organization as well as [the effectiveness of] CIOs and CISOs.

I think CISOs are at a crossroads at this point [between] those who view their position … as business managers who are enabling business in a secure way, versus those who are focused on security only. There’s going to be a big difference between those two kinds of CISOs … with one adding value far in excess of the other.

Related Articles:

CSO Worries High, Actions Lax
http://www.esj.com/Security/article.aspx?EditorialsID=1434

Tips for CSOs: How to Discuss Security Issues with Executives
http://www.esj.com/Security/article.aspx?EditorialsID=1316

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.