Expanding roles for the CISO

The long view of security strategies for your network.

In this series of three columns, I'm reviewing and commenting on ideas in A Seat at the Table for CEOs and CSOs: Driving Profits, Corporate Performance and Business Agility by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek. Today I'll finish with a brief summary of the rest of the book, although I think I could write another six or seven columns on it if that wouldn't give my editor apoplexy!

Chapter 2, “Show Me the Money,” makes the point that security problems should be treated with urgency at the strategic level, not just as tactical glitches that can be relegated to low-level staff as minor details. “Because a security breach represents an underlying revenue and profitability problem that has gone undetected, preventing a security breach should be managed with the same level of urgency.”

The authors argue that identity management should not be seen as a nuisance: identity management can be a key to effective knowledge management about customers and competitors. For example, “When new customers are integrated into a company’s business processes seamlessly, the results translate into improved cash flows from revenues that are identified sooner and higher levels of customers satisfaction.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this series of three columns, I'm reviewing and commenting on ideas in A Seat at the Table for CEOs and CSOs: Driving Profits, Corporate Performance and Business Agility by Jackie Bassett and Daniel Rothman and edited by Raquel Filipek. Today I'll finish with a brief summary of the rest of the book, although I think I could write another six or seven columns on it if that wouldn't give my editor apoplexy!

Chapter 2, “Show Me the Money,” makes the point that security problems should be treated with urgency at the strategic level, not just as tactical glitches that can be relegated to low-level staff as minor details. “Because a security breach represents an underlying revenue and profitability problem that has gone undetected, preventing a security breach should be managed with the same level of urgency.”

The authors argue that identity management should not be seen as a nuisance: identity management can be a key to effective knowledge management about customers and competitors. For example, “When new customers are integrated into a company’s business processes seamlessly, the results translate into improved cash flows from revenues that are identified sooner and higher levels of customers satisfaction.”

Inefficient, drawn-out assignment of unique, trackable identifiers “also gives the social engineer ample time to troll the system looking for an opportunity to exploit a weakness or even get signed up as a new customer” and then penetrate defenses through further social engineering. Good identity management can also be linked to customer relationship management because a customer whose access is terminated can be identified immediately to the VP of sales for analysis and possible recovery.

Chapter 3, “Customer-centric Innovation,” includes several interesting examples of how improved security and greater integration of the CISO can support strategic planning of the sales function.

Chapter 4, “Security as a Catalyst for Innovation,” continues the theme with a discussion of the many ways that thinking about information security supports good application development, improved information management, and more productive knowledge capture.

Chapter 5, “Maximizing Shareholder Value in an M&A [Merger & Acquisition],” specifically addresses how good security practices are important for both the purchasing and the acquired organizations. They offer practical questions for boards of directors and guidance on reading audit reports, including in particular security aspects. They suggest a systematic series of steps for CISOs when becoming involved with M&As.

Chapter 6, “Turning Problems into Profits,” looks at the financial side of corporate governance from the CISO’s perspective and includes several specific examples from published reports and from the authors’ consulting experience. Some of the section headings are:

* Boosting Sales Productivity
* Market Internal Expertise to Others
* Look Beyond the Breach
* Recapturing Revenues.

Chapter 7, “Leadership – Managing Human Assets,” starts with a stirring call to action on integrating security into every employee’s explicit job definition. Such a strategy:

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.