Ponovno predstavljanje vloge CISO

As cybersecurity has become an increasingly important consideration in corporate decision-making, there’s been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, “If cyber is important, CISOs must be important.” However, elevating the role sets the CISO up to be a lone voice in the desert crying “security,” with little connection to the day-to-day decision-makers in IT, engineering, or products.

This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company’s security measures povzročil večurne zamude kot odziv na izpad 4. oktobra 2021 ali izvršnega direktorja Uberja, ki je izplačani hekerji who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in “additional layers of security” rather than admit they made poor selections initially. In all of these cases, the CISO’s isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.

Organizacijski vpliv

Perhaps it’s time to reimagine the role of the CISO. Maybe it’s better to see the CISO’s importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.

Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of “security” solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.

Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company’s code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.

V vseh teh primerih postane varnost dejavnik korporativnih odločitev, ki temeljijo na realnem delovanju podjetja. Tehnično strokovno znanje CISO postane sestavni del vsakodnevnega dela, ne pa omejitev. Podobno morata varnost in skladnost delovati nemoteno, tako da finančni sistemi in komunikacije s partnerji in prodajalci ostanejo varni. To velja za telekomunikacijske sisteme in drugo strojno opremo.

Dejavnik tveganja

Zdi se, da je to bolj učinkovit način, da tehnična razsežnost varnosti postane močan glas pri izvajanju podjetja. Lahko pa se vprašamo, ali bo to zmanjšalo razsežnost politike in jo balkaniziralo za obravnavanje posebnih interesov posameznih funkcionalnih enot. Ta pomislek je mogoče rešiti z razširitvijo vloge glavnega uradnika za tveganja na funkcije varnostne politike, ki jih trenutno izvaja CISO. 

This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn’t mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.

Obstajajo številne tehnologije za nadzor dostopa, ki bi učinkovito zaščitile Facebook, ne da bi zaklenile lastno osebje. Če upoštevamo varnostno tveganje skupaj s tveganjem razpoložljivosti, se pojavijo tiste bolj pragmatične rešitve.