Insider Insights:Seven Observations on the
Evolving CISO Leader
A Look at the C-Levels
How They Compare CFO CIO CSO
Humble Beginnin
g• Bookkeeping• Preparing Tax
Documents• Preparing Budgets
• Data Processing• Programming
• Programming• Office Work• Law Enforcement• Intelligence
Community
Career Path Titles
• Auditor• Controller• Treasurer• Finance Manager• Finance Director• Vice President• CFO
• Technology Worker
• Data Processing Manager
• Manager of IT• Director of IT• MIS Manager• Vice President• CIO
• Programmer• Business
Manager• Information
Security Manager• IS Director• VP Information
Security• CISO, CSO
Education or
Degree
• Accounting• MBA Degree
• Computer Processing
• MIS Degree
• Computer Processing
• No Defined Degree
A Look at the C-Levels
How They Compare CFO CIO CSO
Appearance of C-
level Title
• Late 1960s• Early 1970s
• Late 1980s• Early 1990s
• Early 2000s
Triggers • Dependency on Access to Capital During 1970 Crises
• Ambiguous Regulatory Changes in Accounting Rule
• Increased Regulation
• Emergence of Personal Computer
• Complex Infrastructures
• Increased Computing Demand
• Recession Economies
• 9/11• Rise in Frequency
& Severity of Security Breaches
Dedicated
Magazine
• 1987 • 1989 • 2002
Common Role
• Protect Shareholder Value
• Provide IT services
• Prevent Intrusions
• Protect Information
From Unidentified Field a Few Decades Ago to Major Rocket RideOnset of change started shortly after 9/11
Large-scale attacks became more sophisticated
Targeted the country’s growing dependence on the Internet
Identity theft became more powerful & pervasive
Evolution of Information Security Industry
From Unidentified Field a Few Decades Ago to Major Rocket RideMid-2000s brought change
Companies began to see seriousness of security breaches & understood relevance of IT security
Created positions for information security executives
Publication of dedicated magazine
Evolution of Information Security Industry
Top 3 IT Security Threats Today
CybercrimeSophisticated attacks steal data & intellectual propertyNo one is immune
Cyberterrorism over the InternetEspionage, infiltration, propagandaRecruit new members & vehiclesFilter money
Insider ThreatsTrusted, unwitting & unaware insiderTrusted, witting insider aware of their actionsUntrusted insider who penetrated the network
What the Future Holds for IT Security
Constant ChangeCyber attackers constantly modifying their methodsCISOs &IT personnel must always be learning
Online ProtectionProlific sharing on multiple social networksNew technologies to protect online identities
More RegulationsSecurity regulations playing catch-upInvestment in security education
Characteristics of a CISO
Profile Varies by Company Size & IndustryOrganizational reporting varies, majority report to CIOs in large organizations
Fortune 200 vs. Fortune 500 vs. Fortune 2000
Most CISOs responsible for managing risk
Highly regulated vs. other industries
Governance role vs. operational role
Technical vs. non-technical
The CISO Profile
Individuals in the Role are TransitioningMany CISOs are older males (50-60 years)
Promoted from within IT/Audit & have over 20 years IT experience
Salaries range from $120K-$500K+
Very business savvy
The CISO Profile, cont.
Next-Gen CISOsNumber of females increasing
Broad technical background, have served in front-line security roles
Advanced degrees
Security strategist
Business driver and enabler
Evolution of Skills
Past, Present and Future
2000___ 2014___ 2016___
TechnicianEvangelist/SalesmanInspectorEnforcer
Security Geek
Computer Science
BusinesspersonCommunicatorProblem Solver
InfluencerAdvisor/Leader
StewardSecurity Strategist
IT Risk Management
Business Risk ManagementTrust Officer
Key Stakeholder in ERM
InfoSec GovernanceITIL InfoSec
Corporate Risk OfficerDigital Risk Officer
Change Agent
Why is the CISO Role Challenging?
Breadth & Distribution of ResponsibilitySpans technical & business issues
Touches almost every aspect of business
Depends on other organizations to be successful
Still a Foreign Concept to SomeHave to win people over to get cooperation
Must show clear business value
People have their own view of risk
Why is the CISO Role Challenging?
Environmental IssuesPressures of current financial times makes security more difficult
CISO reporting relationships can be ineffective
CISOs have responsibilities that can conflict with peers
Why is the CISO Role Challenging?
Environmental IssuesRisk/reward equations need transparency
Risk assumption models need to be deployed in most organizations
Risk tolerance for the company determined by CEO and/or Board
Deep Dive into the CISO Role
The Five Hats of CISO LeadershipExpert
Foundational knowledgeInspire confidenceDrive credibility
StrategistUnderstand business strategy & risk toleranceSet InfoSec program mission, vision & valuesMake security foundational in IT organization
Deep Dive into the CISO Role
The Five Hats of CISO LeadershipLeader
Influence other groupsCommunicate, articulate, evangelizeTransparent about problems and need for help
BuilderBuild relationships, develop people Thoughtful advisor, develop culture
ManagerExecute, deliver, consistentBuild the right team
Elements of Successful CISO Leadership
Passion. Knowledge. Persistence. Advocate.
Deep business acumen
Over the horizon thinking
Deep financially based decision support
Can you be a leader without being technical?
The Power of Relationship Building
Connect & Collaborate with a Network of Peers & Solution ProvidersNo one way to tackle today’s threats
Share best practices with a network of peers
Collaborate with solution providers on solutions
Share success stories across industries
Round-out knowledge to meet challenges of the job
The Power of Relationship Building
Build Relationships within the OrganizationAcceptance in the C-Suite
Increase knowledge of the business & risk tolerance
Build support for key security initiatives
Foster cooperation across the organization for the security team
The Importance of Team Building & Recognition
Industry Awards & Recognition ProgramsEncourages team creativity & out-of-the-box thinking
Many opportunities to showcase projects
Fosters professional growth
Facilitates understanding for increased funding & up-to-date technology & prevention measures
The Importance of Team Building & Recognition
Industry Awards & Recognition ProgramsIncreases morale, lifts team spirit & pride
Boosts team & company loyalty
Benefit from more learning
Paves way for increased understanding of IT security function within the organization
The Future for CISOs - A New Urgency
Unidentified Field to Huge Career OpportunityAttacks ringing a bell in the C-Suite
Business survival relies on security of information & technology
Increased online dependency has created increased need for information security professionals
The Future for CISOs - A New Urgency
Unidentified Field to Huge Career OpportunityIndustry experiencing a shortage of CISOs
Increasing requests to serve on corporate boards
Must-have Agent of Change who touches all corners of an organization
Five Skills Critical to Your Success…
…In the Next Five Years1
Get the big risk management picture
Become a data ninja
Be a collaborator, rather than a cowboy
Bring both technical and business leadership chops
Be an enterprise IT polymath
1. Five CISO Skills Critical to Your Success in the Next Five Years, CSO Online, August 2014
Insider Insights: Seven Observations on the Evolving CISO Leader
Thank You
Marci McCarthyCEO and President
T.E.N.404.273.3045