CISOs Share Advice on Managing Both Information Security & Risk

Transcription

1 CISOs Share Advice on Managing Both Information Security & Risk Learn how CISOs from top companies are tackling their new dual role of information security & risk management WISEGATE COMMUNITY VIEWPOINTS

2 Introduction The role of chief information security officers (CISOs) is expanding and their influence in organizations is increasing, but so are their challenges and responsibilities. The CISO s role is shifting from a focus on information security programs to a holistic risk management approach from fire-fighting security breaches to anticipating fires before they start. Leaders of forward-thinking organizations understand the need for more pervasive risk awareness and are far more focused on enterprise-wide education, collaboration, and communications. These organizations are likely to employ CISOs who can take systemic approaches to security issues that span legal, business operations, finance, and human resources. In a recent Wisegate roundtable discussion, CISOs across industries confirmed their shifting role and offered a number of major takeaways for CISOs and other IT security professionals grappling with increasing responsibility.» CISOs are being asked to take responsibility for risk management and privacy policy in addition to information security, presenting numerous challenges. With dual responsibility comes dual reporting requirements; CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer.» However, there is a tension between risk management, which involves balancing risk with resources, with implementing an information security program, which focuses on securing information. There is also a tension between the need to identify risks an enterprise confronts and the legal requirement to have plausible deniability if a breach occurs. CISOs will need to deal with these tensions, as well as others, in order to carry out their increased responsibilities successfully.» As CISOs assume responsibility for risk management, some useful risk assessment methodologies include OCTAVE Allegro, as well as NIST and ISO standards. Some useful risk manage tools cited by Wisegate members include HP OpenPages, Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense, as well as less comprehensive tools such as Excel and SharePoint. CISOs Share Advice on Managing Both Information Security & Risk 2

3 Expanding Responsibilities The Wisegate members agree that CISOs are increasingly asked to provide input, and even be responsible for, risk management in addition to information security. According to a poll conducted by Wisegate,, close to 100% of participants said they have combined responsibilities. Executive leaders are asking CISOs to be strategic thinkers as well as IT administrators. Future CISOs will need to understand and influence business risk decisions and be involved with everything from developing privacy policies to preparing disaster recovery plans. As one Wisegate member commented: I'm responsible for global information security and, recently, my responsibilities were expanded to include risk management and disaster recovery. While I've managed both of those functions in the past, I have to say it's been about five years since I have been responsible for either one of those roles. So, I'm just kind of getting back in to the nuances of risk management and disaster recovery in addition to information security. The dual responsibility often comes with new organizational reporting requirements and new challenges. CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer. As one member notes, he reports to both the chief information officer (CIO) and chief risk officer at his organization: My CISO role has really expanded. Actually, I'm a direct report to the CIO and the chief risk officer, and I predicted about two years ago that eventually I would end up being fully reporting just to the chief risk officer because of the responsibilities that my organization has given me. That hasn't happened yet, but it certainly is moving that way. I'm getting less and less into the security architecture and engineering, and more into the privacy compliance framework. I have records management. I head business continuity planning and disaster recovery. And another Wisegate member stated: We built a global privacy program during 2011 and we handed it off to our compliance group. And I'm starting to see some interesting reporting recommendations popping up as well The chief compliance officer and the CEO for our bank unit have both expressed some indication that maybe reporting to the CIO isn't where I should be. So, I expect some movement there as well. Wisegate Community Viewpoints 3

4 As part of this shift in CISO responsibilities, organizations are spending more on risk management. A recent Wisegate poll asked members, Can you please comment on whether you see spending on security/risk management initiatives trending in parallel to your overall IT spend, or is there more/less focus on funding security/risk management initiatives when compared to overall IT spend? While 60% of Wisegate members said they expected no change, a full 40% said they expected increase spending on security/risk management, with no members expecting a decline in spending on security/risk management. When asked what is driving a move to a risk-based approach, Wisegate members cited compliance requirements as the primary driver. What are the top two drivers for your information security/risk management program? Even though compliance is the top driver, CISOs acknowledged that it s just a starting point. One CISO commented: Having patient information, HIPAA and HITECH are daily conversations around here. But having management understand the value of going beyond these compliance requirements to reduce our overall operations risk was invaluable to the continued support of our security office. CISOs Share Advice on Managing Both Information Security & Risk 4

5 Growing Tensions As noted by a number of Wisegate members, there is a tension between risk management, which involves balancing risks with resources, and implementing an information security program, which focuses on securing the information. My risk team is very focused on risk, but they are frequently on the side of the business. So, while they look at the risk information, they're also looking at likelihood of exposure using risk calculations to determine whether or not the loss of particular pieces of information would be substantial to the organization, whereas my security team very obviously focuses on the need to keep things as locked down as possible and any risk or any acceptance of the risks to information could lead to Armageddon. Some members have resolved the tension by integrating the two functions and training the information security team to think in terms of risk. One CISO observed: We have to apply risk assessment to everything else that's going on that the business is trying to do. I think you have to evolve all your people to understand risk management philosophy and help them understand the trade-off here. Another noted: We decided back in 2007 to completely scrap our existing information security program, really took almost nothing forward that existed at that time. We've thrown it all out, and we rebuilt the program based around the concepts of our risk management program. There are not two teams; today's information security professional also has to be a risk management professional The program we built under security risk management has now become the framework we're using for enterprise risk management. So, if anything, we ended up creating a grassroots campaign in the company towards enterprise risk management using security as the model to lead the way. There is also a tension between the need to identify all risks an enterprise confronts and the legal requirement to have plausible deniability if something happens, such as breach. One CISO described how his legal team was concerned about the risk register he was using to assess and manage risk. The legal department was concerned that in a legal proceeding the opposing side could obtain the risk register and use it against the company. Wisegate Community Viewpoints 5

6 Other members stressed that risk assessments have to be performed, so the key is to keep the legal team informed but not let them dictate risk assessment processes and procedures. We all know as information security people that in order to do our jobs effectively, we can't be copying our attorneys on every communication. We need the freedom to operate within all the different departments of our organizations where data may be moving. I make sure that the legal teams have an appreciation for what it takes for an information security officer to be effective and that they have the option to work with us and to guide us on what types of things need to be covered, what types of things need to be kept out of electronic documentation, and that there's a partnership between risk management and legal. Risk Assessment Methodologies and Tools As CISOs increasingly assume responsibility for risk management, they are turning to risk assessment methodologies and tools to help them meet the challenges. Which risk assessment methodologies does your organization use? CISOs Share Advice on Managing Both Information Security & Risk 6

7 As one Wisegate member related: We're using an OCTAVE Allegro methodology that uses Monte Carlo simulations to figure out the level of risk and to weed out, outline our situations, and focus on the median area of risk that gives us medium and high issues. During the discussion, some CISOs related that they use risk registers as a way to track risks. Maintaining an enterprise risk register that is focused around risk to information and regularly tracking that program and making it part of the corporate scorecard has been a key initiative for me. During the roundtable, Wisegate members identified the following governance, risk management, and compliance (GRC) tools as useful in meeting the challenges of risk management: HP OpenPages, RSA Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense. Our enterprise risk organization uses HP OpenPages to record our risk. Within the security space, we've deployed Archer. And we have a risk library within Archer where we've identified information risk issues and we also log and record remediation plans and progress against remediation. GRC tools enable CISOs to create and map policies to regulations and compliance requirements, assess whether risk management controls are in place, and ease risk assessment and mitigation. These tools vary widely one size does not fit all. The tools need to be customized to fit the needs of a particular organization, as one Wisegate member explained: We've been Archer users for years and years, and what I've learned about the platform is you get out what you put in.i know Archer out of the box pretty much works for nobody. We all tend to modify and write our own tool. Not every organization has the resources to invest in a comprehensive GRC tool like Archer. Some use less expensive tools such as Excel and SharePoint, although these tools make it harder to maintain proper audit trails and can become unmanageable. Wisegate Community Viewpoints 7

8 I've built a system within SharePoint where we have registers with risk classification, data built in, reporting built in, and tags to prioritize the information. It is all of the information risk management data in the company, and it ends up plugging into a spreadsheet with enterprise risk management group users to manage their risk. So it's not very sophisticated. One CISO describes the organization s system for triaging risk: We've established a triage practice, so no matter what security request comes in, no matter how it comes in phone call, walk by there is an engagement process that we're actually plugged into, life cycles, systems due on life cycle, and project management life cycles. We need a security team to be able to triage that so we can very quickly do a low, medium, and high risk assessment. From there we have a risk assessment process, so for medium and high triage assessments, we'll go into a deeper dive for risk assessment. Managing the Evolution: Tips for Success During the discussion, members offered the following insights on how they are managing their new responsibilities and promoting change within their respective organizations: I think we have evolved all our people to think, not no. No is not the answer. It's how. How do we enable the business to do what they're trying to do in a safe manner or a safe manner as possible? Learn how to deal with an imperfect science. It's all about time and money. All that said the business is not omnipotent either. The business can have bad ideas. The business cannot be fully informed with an IT decision and it's our job to really fully inform them of the consequences of what they're about to do, good or bad. I have worked fairly hard on getting the key stakeholders that aren't always in IT to understand that they own various risks and that there's a partnership there, that they can expect me as the CISO to bring certain risks to them and that they become aware of risks consistently from me. CISOs Share Advice on Managing Both Information Security & Risk 8

9 In Closing From the Wisegate roundtable discussion, it is apparent that CISOs will need skills that go far beyond information security. They are being asked to take on a lot more responsibility for the security of their organization, including risk management and privacy. To be successful, CISO will need to master C-level skills, such as communication, business, and leadership skills, in addition to their IT administration knowledge. Wisegate is the invitation-only community where senior IT professionals meet to openly exchange knowledge and solve problems with their peers. It is Wisegate s ambitious mission to make our members job less stressful and more productive by providing the forum professionals need to collaborate and share experiences with a closed community of highly qualified IT peers. By enforcing strict membership guidelines, which exclude vendors from joining, Wisegate is able to provide members with unmatched access to senior-level IT professionals and quality content. Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership. 300 Beardsley Lane, Suite C201 Austin, Texas PHONE info@wisegateit.com Wisegate. All rights reserved. Wisegate Community Viewpoints 9