Skip Links

The New CISO: How the role has changed in 5 years

By Bill Brenner, CSO
November 02, 2010 03:11 PM ET

CSO - The role of chief information security officer is not what it was five years ago. According to those who find themselves in the role, that's not necessarily a bad thing.

Intel CISO: biggest security threat is not understanding risk

It used to be that CSOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that's still the role some CSOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable.

Also see "What is a CSO, part two" for a look at the CSO as a business enabler

In an ideal world, today's CISO hires someone else to handle all those technical tasks. Of course, the question is whether you can inspire them to do what you once had to do or if you'll turn them off with an attitude of superiority.

We reached out to several current and former CSOs and CISOs -- and a few analysts who have worked with them --for a look at what has changed from their vantage point and what a security exec must do to survive in the job today. What follows are four perspectives.

Related podcast: "How to become the 'new CSO'"

Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services: 

On how the position has changed for the better: In 2006 I was the only person running an enterprise security organization in Catholic healthcare that held an executive position. Many of the people I ran into that were leading security, whether traditional corporate security or information security, were essentially senior managers with fancy titles, rather than junior to mid-level executives. Really the only place this wasn't true, in general, was in the financial and defense sectors. In fact, if you look at who the original thought leaders of security were, you see them coming out of those sectors very strongly. Today that is no longer true. I have peers in Catholic healthcare who are vice presidents of their organization. More importantly, almost all large corporations (Fortune 500 as a definition for large) are hiring a VP of information security or something equivalent.

More about the evolution of security leadership

Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business. The CSO leads the security function within the business and that function is now viewed as a necessary function within the business, rather than something to be given lip service to keep the regulators away but otherwise ignored. This is a significant and powerful change, in my opinion.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News