The four types of chief information security officers3 min read . Updated: 22 May 2018, 12:00 AM IST
Governments, corporations, and individuals the world over now worry about information security and the possibility that their computers and data can be compromised
Governments, corporations, and individuals the world over now worry about information security and the possibility that their computers and data can be compromised. The introduction this month of Europe’s General Data Protection Regulation (GDPR) laws around data privacy and security has again brought this issue front and centre, and many firms are scrambling to prove that they comply.
Last week, I met with Neil Daswani, an expert in information security. Daswani is co-director of the Stanford Advanced Security Certification Program, and an expert in web application security.
He is the lead author of the book Foundations of Security: What Every Programmer Needs to Know and has led security efforts at various organizations such as Google, Dasient, Twitter and Symantec. We discussed the role of a chief information security officer (CISO) in today’s organizations, and Daswani gave me a quick education.
He maintains that the organization’s own attitude to security is what determines the effectiveness of the CISO. He pointed me to a paper written by Gary McGraw and others from Synopsys, a firm that specializes in security solutions and in ensuring the integrity of its clients’ software. The paper categorizes organizations into four distinct CISO “tribes". I shall provide only a simple definition of each of these types of firms here; I am sure you will be able to self-diagnose which tribe you belong to and act, if required, by turning to experts such as the ones at Synopsys.
The lowest grouping is the “cost centre" tribe, which is overwhelmed and under-resourced. In most cases, security leadership exists deep in the organization, at levels well below executive leadership and middle management. The upper layers of management treat security as a cost centre. In today’s world, this tribe is the most exposed.
The second is the “compliance" tribe. The authors maintain that compliance with regulation such as GDPR is both a boon and bane for security, and that this tribe intentionally leverages compliance requirements to make real security progress. In many cases, previous security leadership in this tribe was replaced at the same time that a compliance regime was imposed from the outside, sometimes in the wake of a crisis. According to McGraw et al, many of these firms still continue to under-invest in security. They maintain that in such companies, though the compliance spending of today may now be more than the pre-crisis spending of yesterday, it is still inadequate to meet future crises.Further, compliance alone does not keep hackers with malicious intent out.
CISOs in the “compliance" tribe tend not to be deep technologists but, according to McGraw and clan, do tend to have strong managerial and leadership skills. This can lead to a situation in which these CISOs’ limited resources are correctly allocated and clear progress is made; however, the organization’s overall progress is still inadequate because it is always in “catch-up" mode after a crisis, or after external regulations such as GDPR have been imposed.
The third is the “technology" tribe. Its approach to security is not bounded by compliance alone. However, the CISO is likely to have come from a purely technology background and tends to overemphasize the definition of security problems in terms of technical aspects alone. According to McGraw and his co-authors, an undersupply of business acumen leads to what they call the “superman syndrome", in which the “technology CISO" often gets down in the weeds on particular problems instead of delegating, and learns about the business impacts only through trial and error.
The top grouping is described by McGraw and his collaborators as the “enabler" tribe. Firms which fit this definition have evolved their security mission to an organization-wide commitment, rather than a simple compliance measure. Security for them is not just a technical problem; it is a business issue. This means that various lines of business actively participate in the overall firm’s security mission. CISOs in such firms are on par with senior executives, who lead other business lines. They are proactive and get in front of security issues, both internally and externally, and can intentionally influence the standards by which they will be judged.
To which tribe do you belong?
Siddharth Pai is founder of Siana Capital, a venture fund management company focused on deep science and tech in India.