By David Sheidlower
In my 10+ years as a CISO, I've noticed a trend that appears to only be increasing. What I have observed is a proliferation of job titles that rhyme with CISO. But rather than describing the Chief Information Security Officer, these new titles swap out the word “chief” and come up with something else to describe something different.
There’s the BISO, or Business Information Security Officer, who has some level of responsibility for a specific part of a firm’s business. They are expected to be part of the business unit they are responsible for. In other words, knowing the business is as important as knowing security.
The BISO is not to be confused with the TISO, or Technical Information Security Officer. This individual is more technically focused and might serve multiple BISOs in complementing the BISO’s business acumen with their technical expertise.
You might see a Network Information Security Officer, or NISO, where the word “network” can mean minding security for layers 1 through 4 of the OSI stack or refer to the NISO being a kind of mega-BISO who takes care of an interconnected group of business entities within a complex Enterprise.
If the business is divided into divisions, you might find a DISO and, likewise, if the structure is regional, you might find a RISO. To be fair, I’ve never seen a RISO title. Usually, the regional security heads are called by names like “CISO for EMEA” or “Deputy CISO, APAC region.”
And then there are the companies that are bashful about appointing a CISO and give their head of Information Security titles like “Director of Information Security.” To them we say, either call that person a CISO – and give them the commensurate responsibilities – or go get one. As I’ll argue below, there’s something that can get missed in this game of “ISO scrabble.”
Some CISOs I know responded to this sprawl of ISO job titles by adding “worldwide” or other descriptors as a preface to their title. After all, there should be one Chief and it is important to make sure that there is no confusion about it.
Human Resources, Executive Management, and sometimes even the Board has a direct say in all of this, of course. We can’t simply pin the existence of so many ISOs on the CISO. In fact, some of these ISOs might not report directly to the company’s CISO. Sometimes, there are so many dotted lines, you’d think that the org chart was printed out on an old, cheap dot matrix printer.
The first thing to emphasize about this jumble is: there’s more than enough work to go around. Call yourself Dr. Faustus for all anyone cares, just protect the Enterprise. Organizing that work is one reason these sub-CISO titles came into being. The titles legitimately describe and put limits on a function. You, X-ISO, need to focus on “X” and leave the rest to someone else (Y-ISO, Z-ISO, etc.?).
Then there’s the need to satisfy the ambitions of people with these positions. Consider it a compromise between where they are and where they want to be. “You are not the CISO, but, hey, this is close to being the CISO (just squint when you read your business card).”
Ending job titles in “Information Security Officer” is attractive to everyone involved. The security frameworks (ISO/IEC 27001:2013: 5.1 and 5.3 and NIST Cybersecurity Framework ID.GV-2, for example) all demand that roles and responsibilities be defined such that people are committed to staffing the security program. And nothing says commitment and, as applicable, compliance better than dedicated resources, and nothing says Information Security resources are dedicated better than making them Information Security Officers.
Now I’ll get to the point.
I would argue that the letter at the END of the acronym is way more important than the letter at the beginning. It’s the “O” for “officer” that matters most. Being an “officer” needs to mean something. This is where things get lost and too fuzzy sometimes.
It is important that people manage processes and teams. When they do that, regardless of their title, they are “managers.” It is important that work is directed and prioritized. People who do that are functioning as “directors.” People with the title Manager or Director can be at any level in the organization. Of course, there may be job classification schemas in an organization that dictate where they fall, but the functions do not limit the level. Likewise, being an “officer” does not mean you are at a particular level.
What being an officer does mean is that you are responsible for the objectives of the security program. Sometimes that means you manage, sometimes you direct. Sometimes you analyze, sometimes you observe and sometimes you consult. Sometimes you approve and sometimes you reject policies and their exceptions. Sometimes you might roll up your sleeves and configure a firewall (hint: “permit ip any any” is bad).
Being an officer should mean that the objective is more important than the tasks at hand. You can’t stand on ceremony if your job is to stand between the threats and what you’re protecting. The Information Security Officer owns protecting the company’s information assets. If a vulnerability or risk to the organization and the assets you’re protecting is in your view, then it is in your purview.
If an organization wants someone to solely manage a team or process, then they should call that individual an Information Security Manager. If they want someone to solely direct a function or set of functions, then they should hire an Information Security Director. If, on the other hand, they decide someone should be called an Information Security Officer, then expect and accept that that person’s scope goes beyond just managing or directing.
There might be more important organizational considerations when evaluating the security function in an Enterprise. “Who does the CISO report to” is discussed a lot more than who has what job title. But to the extent that job titles reflect roles and responsibilities, it’s worth considering just what makes an “officer” an Officer.
By David Sheidlower
I have gone back and forth for a long time. Should security be risk-centric or data-centric. Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism).
Certainly there used to be network-centric views of security but they have mostly eroded in the face of mobile devices and the rise of cloud applications.
By David Sheidlower
Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching. It’s been a long time for me but the memory lingers.)
Daniel Conroy never expected to be a CISO. He never expected to be in America. He was a rugby playing, triathlon-competing lad from Ireland, who came to the United States for a brief stint with a semiconductor company, using his background as an electrical engineer. Seventeen years later, Daniel, his wife and children are living in Stamford, Connecticut where he is a much sought after CISO in the industry.
By Devon Bryan
"We drive into the future looking into our rear view mirrors" Marshall McLuhan
Notably absent from the dearth of ongoing blockchain conversations, is the cyber defenders perspective. Perhaps the reasoning could simply be that thought-leaders feeding the blockchain hype cycle are opposed to having security types pouring cold water on their "1000 blockchain flowers blooming" conversations.
By Roota Almeida
CISOs are often in a situation where the CEO or a Board member asks them, “Just how secure are we?” Or “Are we secure enough?”
These questions sound simple, but are quite difficult to answer accurately. The quick answer to the question would be, “We are more secure today than we were before and are constantly striving to be better and one step ahead of the bad guys.”
By Henry Jiang
Recently, I posted a picture of a mind-map that I created just called "The Map of Cybersecurity Domains (v1.0)." The map was put together as a way to clear my head by fully immersing myself in the world of cybersecurity day-in and day-out for the past few years, and constant reminder that just how complex and vast the subject can be.
By Joel Rosenblatt
The first week of March in 2017 will be remembered as the time that AWS (Amazon Web Services) failed. The actual failure was in the Amazon Simple Storage Service (S3), but to the world in general, if your stuff was running in the Amazon cloud, it was not working.
By David Cass
Each year brings more large-scale security and privacy breaches, leaving the general public questioning to what extent companies could be trusted with their sensitive information. Retail, health care, banking, entertainment, governments – no industry is left untouched. Security and privacy must remain top of mind within every organization as both are essential in safeguarding data, protecting brand image, and avoiding hefty fines and financial losses.