As cybersecurity has become an increasingly important consideration in corporate decision-making, there’s been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, “If cyber is important, CISOs must be important.” However, elevating the role sets the CISO up to be a lone voice in the desert crying “security,” with little connection to the day-to-day decision-makers in IT, engineering, or products.
This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company’s security measures باعث تاخیرهای چند ساعته شد در پاسخ به قطعی آن در 4 اکتبر 2021 یا مدیر اجرایی Uber که هکرها را پرداخت کرد who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in “additional layers of security” rather than admit they made poor selections initially. In all of these cases, the CISO’s isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.
تاثیر سازمانی
Perhaps it’s time to reimagine the role of the CISO. Maybe it’s better to see the CISO’s importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.
Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of “security” solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.
Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company’s code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.
در همه این موارد، امنیت به عاملی در تصمیمات شرکتی مبنی بر واقعیت عملیات شرکت تبدیل می شود. تخصص فنی CISO به جای محدودیتی که بر آن تحمیل می شود، جزء کار روزمره می شود. به طور مشابه، امنیت و انطباق باید به طور یکپارچه کار کنند تا سیستم های مالی و ارتباطات با شرکا و فروشندگان امن باقی بماند. این به سیستم های مخابراتی و سایر سخت افزارها نیز گسترش می یابد.
عامل خطر
به نظر می رسد این روش تاثیرگذارتری برای تبدیل بعد فنی امنیت به صدایی قدرتمند در اجرای شرکت باشد. با این حال، ممکن است تعجب کنیم که آیا این امر بعد سیاست را کاهش می دهد و آن را برای پرداختن به منافع ویژه واحدهای عملکردی بالکان می کند. این نگرانی را می توان با گسترش نقش افسر ارشد ریسک به منظور شامل کردن وظایف سیاست امنیتی که در حال حاضر توسط CISO انجام می شود، برطرف کرد.
This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn’t mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.
فناوریهای کنترل دسترسی متعددی وجود دارد که میتوانست از فیسبوک بدون قفل کردن پرسنل خود به طور موثر محافظت کند. هنگامی که خطر امنیتی همراه با خطر در دسترس بودن در نظر گرفته شود، آن راه حل های عملی تر ظاهر می شوند.
