Secrets of a CISO – Defining the security leader’s development path

A newly-published InsightaaS Industry Brief delivers an insider’s view of the building of a CISO

Of all the challenges facing corporate IT planners, development of the IT security function – processes, staff, and especially, a senior leader – may well be the most complex. It is taken as axiomatic that the unemployment rate for IT security professionals is and will remain 0% for the foreseeable future. This demand for cyber security professionals is both a reflection of the complexity of the security landscape, with threats increasing in variety, magnitude, frequency and impact, and also of the importance of responding to these threats, with director liability and cyber-insurance premiums both becoming meaningful issues for senior management.

If it is difficult to recruit capable security staff at reasonable cost (and even more difficult and costly to attract chief information security officers, or CISO), and impossible to safeguard corporate IP assets without effective security leadership, what can businesses do? Many will opt for a blended approach that includes both recruiting and developing staff, involves management from other functions (legal, HR, finance, marketing, etc.) in the cyber response team, and also includes services sourced from third-party experts – especially where security concerns intersect with cloud computing usage.

Clearly, the business of information security is complex, and its successful management essential to corporate governance. What actions should the executive responsible for cyber security take, to best deploy limited resources against a seemingly-limitless set of needs?

In Secrets of a CISO: Defining the security leader’s development path, InsightaaS documents insights supplied by David Mahon, Vice President and Chief Security Officer for CenturyLink. Prior to becoming a CISO, Mahon spent 27 years as an FBI special agent; in his current role, he is responsible for systems and processes that secure the identities and information of more than 40,000 employees and millions of customers.

Secrets of a CISO shares Mahon’s viewpoint on five topics – the path to CISO, the board of directors and CISO imperatives, incorporating cloud technology and culture, scoping the CISO’s activity in preparation for and response to a crisis, and career pathing – that collectively inform today’s CISOs as they develop strategies, technology approaches and corporate practices needed to secure their enterprises. It covers issues that CISOs, the IT security staff and the executives responsible for corporate governance and readiness need to understands, including:

• Understanding the board’s perspectives on SEC regulations, cyber risk and cyber insurance. The board, Mahon says, is asking questions – but they aren’t interested in the details of how security technologies are deployed; they are looking for strategic-level dialogue. “The industry has changed,” Mahon adds. “You need business leaders running your security programs.”
• Viewing cloud as part of the IT supply chain. “We tell companies all the time, just like you have a global cyber strategy, there are sub-components and roll-up strategies, and one is your cloud strategy. And your cloud strategy may be a hybrid strategy.” Speaking specifically of Amazon and sensitive workloads, “they’re not taking any liability indemnification.” So if you need specific security capabilities, such as audit, “you don’t go there. You go to a private cloud that gives you auditability.”
• Scoping the CISO’s scope of activity in preparation for/response to a crisis. The CISO needs to be prepared to lead the cyber risk management team. In the event of a breach, “there’s a crisis manager, and he determines who ‘s on the crisis team – legal, corporate communication, technical and forensics” professionals. “Any effective incident response plan,” Mahon states, “has job descriptions and it’s rehearsed. And if you don’t do that as the chief information security officer, you’ve missed part of your job.”

Secrets of a CISO: Defining the security leader’s development path is available for no-cost download (registration required) from InsightaaS. Please follow this link to obtain your copy.