Friday, February 4, 2011

The CISO's Perimeter (is Broader than the CIO's)

Though provocative in some ways, this truth is known to any experienced CISO.

I don't know whether I had better call it the "security perimeter" or the "protection perimeter" or the "oversight perimeter", what I mean is that specific perimeter that surrounds the things the CISO must take into account before establishing a strategy. I don't say that it's deeper than the CIO's, but it's broader.

In that perimeter, you'll find those extra items:
  • Geographical locations of assets and users, which impact onto the risk of theft. For instance, a laptop is more likely to get stolen than a desktop. This means that the CISO has to take into account the homes and internet caf├ęs and aiports and so on.
  • Electrical capabilities, whether the company's or that of its providers. You don't want to give out your data to a poor-infrastructured provider, even if it has great software.
  • On the same note: flood prevention, fire prevention... Note that these may not be the CISO's job and may be addressed by another person or service. But the CISO has to take them into account anyway.
  • Personal applications: you may lock up what the users install on their desktop inside the company. You may even lock up what they install on the company's laptops they bring home but won't ever lock up what they see in their browsers, on their smartphones, on their personal computers. For that matter, you won't even lock up what they do inside a legit application, some evil comes from regular powerpoint files, doesn't it? That's an area where the CIO just cares about deploying and doing more, and where the CISO cares about restricting and segregating...
  • Outsiders. The CIO typically cares about employees and shareholders. Hopefully about stakeholders. But that's the CISO's job to also look at outsiders, whether malevolent, benevolent or indifferent.
  • Barely-IT systems. Mostly embedded-IT systems and objects that have evolved from electronics to computers (phones, cameras, printers). Not all of them are managed by the IT service but all of them produce or consume information and have the typical risks. So they're inside the CISO's perimeter.