The staggering pace of evolution in technology has really pulled the rug from under the enterprise world, leaving old corporate structures that have served businesses so well until now up in the air. Under such a barrage of change from every direction, it’s no wonder that there’s a sudden proliferation of new job titles and acronyms as businesses scramble to reorganise and reassess.
Nowhere is this more apparent than in cyber security. It’s slowly beginning to dawn that the person responsible for securing the margins is no longer marginal but the guardian of a company’s core financial and reputational value. Many security chiefs, such as Kurt Hagerman, chief information security officer (CISO) for cloud security company FireHost, believe it’s high time that we elevate their roles accordingly.
But despite high-profile cyber attacks and their consequences becoming regular media fodder, ‘security is still often an unsavoury topic amongst professionals, and their role is commonly undervalued and not prioritised compared with other senior leaders, much less understood’, says Hagerman. ‘And while the CSO [chief security officer] is clearly recognised as a thought leader in security, their brand as a business leader is often lacking.’
As a result, their actual responsibilities and capacity to protect the company fluctuates depending on their relationships with the rest of the C-suite and the board of directors – if there is a relationship at all.
‘A company’s business model, a CSO’s risk management objectives and security threat trends also play a huge part,’ adds Hagerman, ‘so it’s no surprise that many CSOs find themselves in a no man’s land between the executive team and the rest of the organisation.’
Once more unto the breach
The roles of CSO and CISO have recently gained attention in the form of a breach that directly forced an organisational reshuffle in a major non-tech company.
When US retail giant Target suffered a phishing attack in November 2013 in which an eye-watering 70 million or so customers had their credit card data stolen, it resulted in not only the dismissal of its CIO and CEO, but the creation of a CISO role – a move that Hagerman calls ‘music to the ears’ of security professionals.
‘It sent out a message, and quite rightly too, that security is one of the most important issues facing organisations today, and that the executive structure should operate accordingly,’ he says.
> See also: The rise and rise of the chief data officer
While a CSO has traditionally been responsible for the whole remit of enterprise security, from the physical to the digital, Target’s decision draws attention to the fact that an increasing number of companies are now creating a distinct role concerning the protection of the digital estate – the CISO.
As Rowland Johnson, CEO of cyber security testing specialist Nettitude, explains, ‘What is abundantly clear is that virtual assets are not being properly secured at some organisations, and this aspect of the business needs specialist risk analysis and protection, so the CISO role has diverged and is becoming more important.’
Following the Target debacle, and a very similar occurrence of appointing a CISO after a breach at Sony, it’s not hard to imagine that other firms are going to investigate how a similar incident could affect their operations and allocate responsibilities accordingly.
‘It will allow an organisation to dedicate discrete resources to protecting information, whereas that responsibility may be part of a broader remit at an organisation with a CSO who must also worry about physical assets.’
But as David Robinson, CSO of Fujitsu UK & Ireland, points out, the realms of physical and digital security are becoming intertwined in many ways, and will soon be difficult to separate into different job roles. And Johnson agrees that there is likely to be some overlap if you look at the abstract roles of CIO, CSO and CISO.
‘The physical element plays an important role in many cyber attacks, taking social engineering attacks as an example,’ says Robinson. ‘As such, in an ideal world, digital and physical security should be merged together and operate almost seamlessly.’
A matter of scale
Although, he admits, more often than not job role convergence still depends on the scale of an organisation: ‘While it is possible in smaller companies, in large enterprises – where the complexity of operations comes into play – the two types of security usually operate separately.’
> See also: The great myth about mobile security
So what does the future hold for the role of the CSO? Raj Samani, CTO EMEA at security firm McAfee, has weighed in on the debate, saying there is no ‘correct’ answer to the CSO/CISO question at present. Instead, he says, it’s better to think of each organisation as a separate entity that will have different requirements.
‘It’s not a one-size-fits-all policy,’ he comments. ‘Where one umbrella policy may suit one organisation, a separation of the two may suit another.’
Regardless of structures, there is no question that those in security roles are beginning to come out of the shadows and into the enterprise limelight. And for CSOs and the companies choosing to hire them, the job description is evolving beyond recognition.
The types of technical cyber security tasks that may once have been the remit of security chiefs – such as creating firewalls, setting up proxy policies, maintaining endpoint security controls and keeping security infrastructure running – are increasingly either falling into the hands of the security administrator or are considered only the ‘basics’, comprising just the tip of the security iceberg.
As technology has taken centre stage and the number of security threats to sensitive corporate data has multiplied, the role of CSOs has become more strategic, as they assume more visibility, responsibility and authority.
‘By comparison,’ says Phil Barnett, VP of global accounts at Good Technology, ‘whereas the CIO often manages the implementation of useful technology, the CSO is tasked with ‘enabling’ the workforce by finding solutions that align both business and security objectives – enabling employees to do their work productively and securely.’
And as Cath Goulding, head of IT security at Nominet (the organisation responsible for the smooth running of the .uk internet), explains, technology is now so ubiquitous that CSOs can no longer rely on the bottleneck of the IT department to consider security issues. Instead, it’s their job to create a ‘culture’ of security across the entire workplace, making it everyone’s responsibility.
No longer the techy person locked in a server room playing with code or CCTV systems, the CSO of the modern enterprise must actually be able to communicate, as is the case with many IT roles today.
‘This requires the CSO to have a much softer set of skills than previously,’ she says. ‘Training and awareness campaigns should no longer be a one-off exercise to meet compliancy requirements – they should be continuous and ingrained in the culture.’
Much of this new role involving communicating and teaching extends beyond the enterprise’s walls to customers and others. In today’s world, not only does the CSO oversee an enterprise’s entire security function – both the business (including people) and technical aspects – he or she also plays a part in bridging the needs of different departments, and of the business and its customers.
Goulding believes that 2014 has been the year that the customer has become sophisticated in relation to security, with media coverage of the Heartbleed vulnerability unprecedentedly swift and extensive.
For this reason, ‘the CSO must now have even closer links with customer service and PR teams in order to reassure customers about their concerns’, Goulding says.
Goulding and Barnett both strongly argue that enterprises should be looking to hire CSOs who can assume the role of educator, and this becomes even more of a priority as the unstoppable wave of employee devices continues to flood businesses.
‘Many habits developed in personal device use are a liability for enterprises, which makes employees the single biggest security threat in terms of potential data leakage,’ Barnett explains. ‘If employees are offered a better user experience in a secure way then they are less inclined to find “workarounds”. Combined with security guidelines, enterprises can establish secure mobility without exerting heavy controls.’
As Mike Raggo, security specialist at MDM company MobileIron, argues, the CSO of the future must become ‘the conduit through which cyber security is communicated across the organisation’.
‘He or she should increase senior leadership and board engagement on cyber security,’ stresses Raggo. ‘This involves preparing the board for a hacking incident because it’s no longer a matter of if, but when. Responding to a hacking incident is part of the overall security strategy, but a holistic approach includes both proactive and reactive controls.’
In the mobile-first era, CSOs will now be judged on how quickly they can enable the organisation to adopt new technologies without creating unstoppable risk. But as well as just mitigating risk, CSOs should be ‘enablers’ of productivity throughout an organisation.
As Raggo argues, they must understand that employees judge IT based on responsiveness: ‘They view an unresponsive IT organisation as irrelevant, and often end up bypassing IT to use their preferred mobile services. When the end-user has the power of choice, security becomes a service provided by the CSO to make that choice acceptable.’
In this role, the CSO is a bridge that must support a world of decentralised strategy and execution. Many such as Raggo believe that CSOs who focus on enablement will become more prominent in the C-suite, while those who focus on risk mitigation through restriction will lose power.
‘The former understand that security is about behaviour, and they reward the right behaviour,’ says Raggo. ‘The latter inevitably encourage the wrong behaviour, and they damage both their credibility in the C-suite and the security posture of the mobile-first organisation.’
Ultimately, the security chiefs of 2014 are far more than just the people who keep guard at an enterprise’s walls – they are productivity and enablement evangelists, with the foundational knowledge of security best practices that can broaden the technology choices available to the business and employees.
And more than ever before, they must be visible, working tactically with the C-suite and IT department to define the security agenda and ensure that the enterprise is ready for the challenges to come.