Today’s security officers wear many hats

WASHINGTON – Effective chief information security officers are trusted advisers to their companies, respected leaders of their technical teams and risk experts all at once – which is no small task, according to a panel of CISOs who spoke last week at the Computer Security Institute‘s conference.

During a keynote discussion entitled “CISO Panel: Evolving Responsibilities,” five CISOs from various industries and government offered opinions on what it takes to become a CISO, how to hold on to the title and in which directions the job is heading.

The demand for a CISO function has jumped dramatically in the past few years, largely because of new security-related requirements imposed on public companies by the Sarbanes-Oxley Act, said Bill Hancock, vice president of global security solutions and CSO at IT services company Savvis Communications. Because of the criminal charges that the act may impose on corporate officers who violate the law, one could say that the CISO’s job is to keep management out of jail, Hancock said.

Another panelist joked that while corporate security is a cost center and its value can’t be easily gauged, if ROI is defined not as return on investment but as “risk of incarceration,” suddenly it seems worth funding. “Security is all about risk avoidance . . . I’ve found it impossible to quantify,” said Jennifer Bayuk, CISO and managing director with financial services firm Bear Stearns.

The panelists agreed it’s getting easier to sell the need for security to both company executives and customers, as breaches have become headlines since a California law took effect this year. That law forces companies doing business in the state to disclose when an event occurs that could lead to theft of personal data.

While the need for security must be stressed, so should the reality that there’s no such thing as 100% security, said Jack Jones, CISO of Nationwide Insurance. “If perfect security isn’t achievable, then we’re managing the frequency and magnitude of loss. . . . We have to become experts at risk,” he said.

Experts manage risk, don’t take risks, Jones added, which is why the CISO position is not typically a path to the corner office. “CEOs have to have a high tolerance for risk. I find I’m risk-averse,” he said.

Yet some CISOs are finding that managing risk and understanding the company’s business means they are asked for help by many departments. Meanwhile, CISOs need to keep up-to-date with technology to manage effectively. They must be “technical enough so you’re not snowed, but have enough management [skills] that you can fit in and talk to business folks,” said Jane Scott Norris, CISO with the U.S. Department of State.

Another key skill for CISOs is to understand auditing and use it to their favor. “If you can’t demonstrate that you’re secure, it doesn’t count,” Bayuk said.