Page 69 - index
P. 69
Why CISO’s evolving into CBSO’s should be a priority for an
enterprise?
During a recent advisory session for a fortune 100 organization, security leadership walked into
the conference room and proceeded to sit across the table from me. The CIO was the last
individual to sit down and prior to formal introductions of his team, posed the following question
to me:
“Kyle; I am a CIO as you know and I am trying to develop effective messaging to other C-Levels
within my organization on the importance of hiring a CISO. What are some key points and
concepts I should include in my argument to convey the necessity of a CISO, and to what extent
should I employ the Fear, Uncertainty, and Doubt tactics I have heard some CIO’s use to
validate the need for a CISO?”
Clearly these questions were extremely important to this particular CIO and to be quite frank, I
was pleasantly surprised by how direct the questions were presented and knew we could jump
right into this discussion without the need for my build up slides presenting why a CISO is
needed within an organization and instead discuss why they need a CBSO more than a CISO
(essentially a CISO evolving into a CBSO).
Firstly; let’s look at the two full titles of these roles:
• CISO – Chief Information Security Officer – note: the word Information and how this is
perceived both internally and externally to organizations as an Information Technology
leadership role
• CBSO – Chief Business Security Officer – note: the world Business and how this one
word truly encapsulates all the dimensions this leadership role should have direct and or
in-direct responsibility for in an organization
The business continues to view the security organization as a policy cop and a paranoid
custodian that is a barrier to progress and innovation for their organization. I have spoken to a
number of business leaders and board members across a number of industry verticals (non-IT
business representatives) who expressed during these advisory sessions their frustration with
the Information Security (IS) function. Many top executives have stated to me that they have
69 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
