FS-ISAC Recap: The Evolving Role of the CISO

Security professionals in the financial industry shared lessons learned from the past year and discussed challenges facing them in the coming year at the recent 2014 FS-ISAC and BITS Annual Summit. Topics ranged from malicious insiders and the Internet underground to recent financial breaches. I attended the summit and observed a conspicuously recurring theme--the evolving role of the Chief Information Security Officer (CISO). Information security is quickly becoming a boardroom issue and companies are looking to the CISO to do more than ever to quantify and manage the business risks while continuing to enable business operations.

In his talk “CISOs Talking SMAC (Social, Mobile, Analytics, Cloud)”, Jim Routh, CISO at Aetna recounted a lunch conversation that he shared with eight recently hired CISOs. Through the course of the lunch discussion, the CISOs ascertained the following three facts: 1) Each CISO was interviewed for their current position by the CEO, 2) they were all being very well compensated, and 3) the lowest amount of budget increase was double.

Routh’s lunch time anecdote makes it clear that the role of the CISO is evolving. The elevated importance of the CISO within the enterprise shows an increased enterprise awareness and focus on information security risk, but it also speaks to the new nature of the CISO’s role. Traditionally, the CISO was more a of a “back-office” manager focused on network and security operations. The role has evolved. The CISO is in many ways on par with other “C-level” executives. The new CISO is customer-facing and revenue-generating.

Security has been historically classified as a business expense with a very little calculable return on investment. Similar to insurance, companies would spend / invest in information security to avoid losses rather than to increase profits. According to the risk management executives at the summit, this philosophy is changing. Recent high-profile breaches have brought the potential consequences into stark relief (think the CEO of Target being fired). Organizations are realizing the consequences of poor performance, both within their own organization and within the organizations with which they share data and rely upon for critical business services. With increased scrutiny of 3rd party risk, companies are engaging with a potential business partner’s CISO. Effective risk management and detailed security plans are becoming selling points, making high performing information security a competitive differentiator.

A panel discussion with representatives from MasterCard, HSBC, FirstBank, Guardian Life, and Goldman Sachs explored this topic as well. One of the panelists, estimated that he spent 25% of his time meeting with the firm’s clients. His efforts are helping his firm “win business.” Winning business is not a back-office function. It is revenue generating.

The responsibilities and skill sets are evolving as well. The panelist stated that in order to effectively manage the risks he also needed to have a solid understanding of the intricacies of the lines of business, the market in which the firm operated, and the audit and regulatory requirements as well as create succession plans and train the staff--all while still performing the traditional technical role of a CISO.

The CISO is indeed evolving to be one of the most critical executives in the enterprise and potentially one of the most difficult to find and retain. The key questions is whether or not organizations will embrace the change and evolve with it.