Page 72 - index
P. 72
• Empowered to deploy all proper levels of protection across all areas of the organization
• Positioned within the organization to embed information security into the business
culture
The CBSO should be technical but also have the acumen to provide both Information
Technology, business management and business risk incisive and realistic approaches to the
protection of corporate assets. The CBSO has the visibility to executive management that the
information security group typically does not have except possibly during major incidents. The
CBSO ensure protection schemes converge technology and business objectives with real
business risk.
Key CISO to CBSO Trait Transformation examples:
• Mentality CISO: Operational execution, absolute security CBSO: Strategy, risk
mitigation
• Reputation: CISO: Technologist, purveyor of fear, uncertainty, and doubt CBSO:
Trusted colleague, internal consultant
• Approach: CISO: Reactive, bolted-on security CBSO: Proactive, embedded
security
• Focus: CISO: Security technology and point products CBSO: Architecture,
process, and analytics
• Value Delivered: CISO: Operations, technology selection, efficiency CBSO:
Business enablement, support, risk mitigation
Another key methodology that CISO’s must move away from is the Fear, Uncertainty, and
Doubt or “FUD” methodology when interact with the business and business executives. Utilizing
this methodology should not be the motivator to get executive management’s attention and
support for information security and its need to support a CISO within their organization.
As I asked the CIO across the table from me: If you take 100 CEO’s from the top Fortune 1000
companies, put them all in a room, and ask them to very direct and candid in their response to
the following questions:
• What keeps them awake at night?
• What is their most important organizational goal?
72 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
