Thursday, February 25, 2010

What is a CISO? [1/2]

What is a CISO? Saperlotte ! [in French in the original text, ed.]
People have tough questions sometimes. Or rather tough Google searches, as it seems that people often stumble across this blog when asking Google for an answer to this question.

CISO, Chief Information Security Officer, is a management and leadership position that often reports to the CIO or to the CEO. There are also CISO positions that report to the CSO, to the CCO or to the CQO. Even sometimes to the CFO. That's merely a hierarchical view of the question because, most of the time, the CISO has to work with all of these people and reports to several of them depending on the occasion. As a summary, the CISO is a C-level who reports to C-levels...

He's a manager because he handles projects, teams, planning and budgets. He's a leader because he needs to get things done that are of primary importance only to him. Said otherwise, most people in an organization can get very successful at their work without ever reading a security policy, let alone understand it, let alone help enforce it. So the CISO has to play his cards with some subtlety and some charisma to achieve results.

He's in charge of multiple things, but I summarize it this way:
  • Integrity of data in the information system,
  • Availability of services provided by the information system,
  • Availability of IT services provided by external partners,
  • Confidentiality of exchanges,
  • Elimination of recurrent problems to decrease operational costs,
  • Durability of services provided by the information system, in provision for changes in technologies or business needs,
  • Conformity of IT practices with legal constraints.

The CISO has to write corporate policies and directions that support the previous goals, that need be approved by the board of directors. One hard part (for any C-level, I should say) is to propose long-term, innovative yet efficient, realistic, goals. And to communicate around it, because such documents are definitely not written to remain on a shelf.

The CISO has to deal with a number of "typical" phenomena about security questions, that happen in all organizations. Different CISOs react differently. Examples of such facts are:
  • Irrational fears and sudden irrational fears,
  • FUD used by vendors of security products,
  • What I call the "TV effect", with the words of the presenter having more influence on the final user than those of the CISO,
  • Over-enthusiastic users or managers,
  • "Security theatre", the use of illusions that give users a false feeling of security, very common in security products,
  • What I call the "side effect of security theatre", when users and, worse, managers ask for more security theatre because it feels great,
  • The 3rd of Clarke's laws, "any sufficiently advanced technology is indistinguishable from magic", which clearly applies to ITsec, which means that most people simply believe you're doing magic,
  • Managers rarely believing in magic as a profitable corporate asset,
  • Legal department of most organizations having no skill regarding IT laws[...]
Next article on insight, philosophy and giving staff a sense that security is not only a constraint.

Note: If you're any surprised that I wrote "he" and never "she", that's because I never met a woman in this position. But I'd be pleased to.