The Security Viewpoint - News and opinion on information security, data breaches, and compliance

The Security Viewpoint:


News and opinion on information security, data breaches, and compliance

So what do I need to be a CISO?

Here’s a test. You decide your company’s security defences strengthening, and you need to get budget approval for a new security incident and event management system, which as we know, it quite expensive.

Which of these two proposals most closely matches what you would say to the board?:

1. I need to deploy SIEM because it will enable log correlation and we will be able to manage intrusion prevention and facilitate cyber forensics and automation of processes.

2. One hour of downtime to the XX server equates to £XX in lost revenue and a X% increase in customer complaints. Expected failure of the server for the next quarter is estimated to be x hours due to downtime and clean-upwork. If we can automate the process, we can mitigate risk, cut downtime by X% and clean-up expenses by X%. The proposed investment is £X, providing a return on investment within x months.

Hopefully, you all chose the second one.
My example is based on one given recently by Neira Jones, head payment security for Barclaycard, who was talking about the new role of the CISO in modern business. In her view, the new CISO needs to be a very different animal from even just five years ago, and the requirements look pretty demanding.

She characterised the differences as follows (yesterday’s CISO comes first, followed by the new CISO):

Subject matter expert / Trusted Adviser

Analyst / facilitator and leader

Technical risk expert / risk manager

Individual contributor / integrative business thinker

Chief InfoSec Officer/ Chief InfoSec & Risk Officer

Administrator / strategist

Manager / visionary

Insular / Evangelist and educator

Focus on risk of loss / take risks to meet business objectives
So how do you think you match up? Jones said she could count on the fingers of one hand the people that currently fit the description, which by anyone’s reckoning, is pretty ambitious.

If, however, you feel that your own skill set might need a bit of, let’s say, repolishing, do not despair.

Following Jones on to the podium at the same conference sprang Professor Kevin Jones of the City University in London, who is soon to launch the first Professional Master’s course in Information Security & Risk. Aimed at people with a good tehcnical grounding and experience, the course is the first (he says) to focus on all the soft and fluffy stuff that the modern CISO now needs to know about in order to be heard, listened to, and to win influence in the board room.

The course starts in September, and Jones (Kevin, that is) expects maybe a dozen people to partake in the first year. It consists of eight modules over two years, and the annual cost is £7,500. It will be taught part-time, with students working in peer groups, incorporating some evenings and weekends in order to allow them all to carry on with their careers.

Professor Jones says the idea is to equip students with the skills to present the “the big picture” of security, focusing on how to present risk and cost assessments, and without getting bogged down in technical details.

Can you afford not to enrol?

No Comments »

No comments yet.

TrackBack URL

Leave a comment