As if CISOs didn't have enough to worry about already, now we are hearing they should be seriously considering acquiring the skills they need to become the chief information risk officer.
Few organizations today have a CIRO, but if the scuttlebutt at the recently concluded RSA Conference is to be believed, they will soon, and CISOs are the logical choices to fill that role. It's reasonable to question whether another C-level executive is really needed, Bradley Schaufenbuel, director of information security for Midland States Bancorp, suggested at the conference.
"There's no reason the existing CISO can't be elevated into the CIRO position," Schaufenbuel said. In other words, the CISO position would no longer exist and would instead morph into the CIRO.
There's a lot of business justification for this evolution, but make no mistake, CISOs have work to do if they want to be in that CIRO role when the dust settles. While the nature of business risk has been changing quickly, the consensus among those who addressed the topic at RSAC is that CISOs have grown myopic in their approaches to information security.
"CISOs spend too much money on technical controls that produce lower levels of exposure," said Schaufenbuel. "So companies are not getting their money's worth."
The way Schaufenbuel sees it, CISOs have fallen short in a couple of key ways. For one, they've focused too much on protecting information and not enough on more foundational priorities such as improving the quality of information — and thus reducing its inherent risk. More importantly, while they've evolved beyond the traditional perimeter defense mentality, CISOs still tend to pay much more attention to the potential risk of IT systems rather than that of information.
"CISOs forget that risk resides outside of the company's data center," Schaufenbuel said.
And it's not just their protection strategies that need to be updated, either. CISOs also need to brush up on their business and communication skills if they want to build on their corporate profile, not to mention preserve their budgets. One example: They need to understand that a company's security profile at any given moment doesn't mean much to the people making the decisions.
"We're not explaining the value back to the business," Alex Hutton, VP of information security for a "systemically important financial institution," said during a panel discussion on the maturity level of today's information security industry. "You have to show that you're securing, not that you're secure."
In other words, it's critical that CISOs make it clear to the business just how important security is from moment to moment, and that protecting applications and data isn't that's achieved; it's happening all the time.
"Everything we do should be tied back to the magnitude of loss to an organization," said co-panelist Jack Jones, president of risk-analysis software maker CXOWare. "If we want to articulate the value to the people who are throwing money at us, we need to do that."
Of course, if they want to become CIROs, CISOs also have to master a little concept called "risk." Jones, who spent several years as a CISO for companies like Nationwide Insurance and Huntington Bank, says there's a generally poor understanding of risk in information security circles. In fact, he said he estimates that during his time as a CISO, at least 70 percent of his employees would completely rethink their risk assessments as soon as he questioned them.
"If we can't be accurate in assessing risk, then clearly we have some growing up to do," he said.