Insider Insights:Seven Observations on the

Evolving CISO Leader

A Look at the C-Levels

How They Compare  CFO CIO CSO

Humble Beginnin

g• Bookkeeping• Preparing Tax

Documents• Preparing Budgets

• Data Processing• Programming

• Programming• Office Work• Law Enforcement• Intelligence

Community

Career Path Titles

• Auditor• Controller• Treasurer• Finance Manager• Finance Director• Vice President• CFO

• Technology Worker

• Data Processing Manager

• Manager of IT• Director of IT• MIS Manager• Vice President• CIO

• Programmer• Business

Manager• Information

Security Manager• IS Director• VP Information

Security• CISO, CSO

Education or

Degree

• Accounting• MBA Degree

• Computer Processing

• MIS Degree

• Computer Processing

• No Defined Degree

A Look at the C-Levels

How They Compare  CFO CIO CSO

Appearance of C-

level Title

• Late 1960s• Early 1970s

• Late 1980s• Early 1990s

• Early 2000s

Triggers • Dependency on Access to Capital During 1970 Crises

• Ambiguous Regulatory Changes in Accounting Rule

• Increased Regulation

• Emergence of Personal Computer

• Complex Infrastructures

• Increased Computing Demand

• Recession Economies

• 9/11• Rise in Frequency

& Severity of Security Breaches

Dedicated

Magazine

• 1987 • 1989 • 2002

Common Role

• Protect Shareholder Value

• Provide IT services

• Prevent Intrusions

• Protect Information

From Unidentified Field a Few Decades Ago to Major Rocket RideOnset of change started shortly after 9/11

Large-scale attacks became more sophisticated

Targeted the country’s growing dependence on the Internet

Identity theft became more powerful & pervasive

Evolution of Information Security Industry

From Unidentified Field a Few Decades Ago to Major Rocket RideMid-2000s brought change

Companies began to see seriousness of security breaches & understood relevance of IT security

Created positions for information security executives

Publication of dedicated magazine

Evolution of Information Security Industry

Top 3 IT Security Threats Today

CybercrimeSophisticated attacks steal data & intellectual propertyNo one is immune

Cyberterrorism over the InternetEspionage, infiltration, propagandaRecruit new members & vehiclesFilter money

Insider ThreatsTrusted, unwitting & unaware insiderTrusted, witting insider aware of their actionsUntrusted insider who penetrated the network

What the Future Holds for IT Security

Constant ChangeCyber attackers constantly modifying their methodsCISOs &IT personnel must always be learning

Online ProtectionProlific sharing on multiple social networksNew technologies to protect online identities

More RegulationsSecurity regulations playing catch-upInvestment in security education

Characteristics of a CISO

Profile Varies by Company Size & IndustryOrganizational reporting varies, majority report to CIOs in large organizations

Fortune 200 vs. Fortune 500 vs. Fortune 2000

Most CISOs responsible for managing risk

Highly regulated vs. other industries

Governance role vs. operational role

Technical vs. non-technical

The CISO Profile

Individuals in the Role are TransitioningMany CISOs are older males (50-60 years)

Promoted from within IT/Audit & have over 20 years IT experience

Salaries range from $120K-$500K+

Very business savvy

The CISO Profile, cont.

Next-Gen CISOsNumber of females increasing

Broad technical background, have served in front-line security roles

Advanced degrees

Security strategist

Business driver and enabler

Evolution of Skills

Past, Present and Future

2000___ 2014___ 2016___

TechnicianEvangelist/SalesmanInspectorEnforcer

Security Geek

Computer Science

BusinesspersonCommunicatorProblem Solver

InfluencerAdvisor/Leader

StewardSecurity Strategist

IT Risk Management

Business Risk ManagementTrust Officer

Key Stakeholder in ERM

InfoSec GovernanceITIL InfoSec

Corporate Risk OfficerDigital Risk Officer

Change Agent

Why is the CISO Role Challenging?

Breadth & Distribution of ResponsibilitySpans technical & business issues

Touches almost every aspect of business

Depends on other organizations to be successful

Still a Foreign Concept to SomeHave to win people over to get cooperation

Must show clear business value

People have their own view of risk

Why is the CISO Role Challenging?

Environmental IssuesPressures of current financial times makes security more difficult

CISO reporting relationships can be ineffective

CISOs have responsibilities that can conflict with peers

Why is the CISO Role Challenging?

Environmental IssuesRisk/reward equations need transparency

Risk assumption models need to be deployed in most organizations

Risk tolerance for the company determined by CEO and/or Board

Deep Dive into the CISO Role

The Five Hats of CISO LeadershipExpert

Foundational knowledgeInspire confidenceDrive credibility

StrategistUnderstand business strategy & risk toleranceSet InfoSec program mission, vision & valuesMake security foundational in IT organization

Deep Dive into the CISO Role

The Five Hats of CISO LeadershipLeader

Influence other groupsCommunicate, articulate, evangelizeTransparent about problems and need for help

BuilderBuild relationships, develop people Thoughtful advisor, develop culture

ManagerExecute, deliver, consistentBuild the right team

Elements of Successful CISO Leadership

Passion. Knowledge. Persistence. Advocate.

Deep business acumen

Over the horizon thinking

Deep financially based decision support

Can you be a leader without being technical?

The Power of Relationship Building

Connect & Collaborate with a Network of Peers & Solution ProvidersNo one way to tackle today’s threats

Share best practices with a network of peers

Collaborate with solution providers on solutions

Share success stories across industries

Round-out knowledge to meet challenges of the job

The Power of Relationship Building

Build Relationships within the OrganizationAcceptance in the C-Suite

Increase knowledge of the business & risk tolerance

Build support for key security initiatives

Foster cooperation across the organization for the security team

The Importance of Team Building & Recognition

Industry Awards & Recognition ProgramsEncourages team creativity & out-of-the-box thinking

Many opportunities to showcase projects

Fosters professional growth

Facilitates understanding for increased funding & up-to-date technology & prevention measures

The Importance of Team Building & Recognition

Industry Awards & Recognition ProgramsIncreases morale, lifts team spirit & pride

Boosts team & company loyalty

Benefit from more learning

Paves way for increased understanding of IT security function within the organization

The Future for CISOs - A New Urgency

Unidentified Field to Huge Career OpportunityAttacks ringing a bell in the C-Suite

Business survival relies on security of information & technology

Increased online dependency has created increased need for information security professionals

The Future for CISOs - A New Urgency

Unidentified Field to Huge Career OpportunityIndustry experiencing a shortage of CISOs

Increasing requests to serve on corporate boards

Must-have Agent of Change who touches all corners of an organization

Five Skills Critical to Your Success…

…In the Next Five Years1

Get the big risk management picture

Become a data ninja

Be a collaborator, rather than a cowboy

Bring both technical and business leadership chops

Be an enterprise IT polymath

1. Five CISO Skills Critical to Your Success in the Next Five Years, CSO Online, August 2014

 

Insider Insights: Seven Observations on the Evolving CISO Leader

Thank You

Marci McCarthyCEO and President

T.E.N.404.273.3045

mmccarthy@ten-inc.com