The role and strategic importance within an organisation of the Chief Information Security Officer has developed and evolved significantly in recent years. Where once the CISO was a largely technical and IT-focussed position, the breadth, depth and scope of involvement of a CISO has increased dramatically such that there are very few parts of an organisation where they are not a stakeholder. The CISO now owns many business-focussed considerations such as governance of information security, risk management, compliance, and setting and communicating security policies across the enterprise. Perhaps most crucially, they are responsible for educating the senior management team in the risks faced by their organisation and driving appropriate investment in that area.
With many CISOs still trying to make this evolution, engaging with a security partner which combines a depth of expertise and service offerings at all levels of an organisation with a breadth of market insight is becoming crucial for most. Traditionally, at a strategic level, CISOs have selected from one of the big four management consultancies while various parts of the IT organisation engage with different vendors for lower-level services such as managed security services, incident response, intrusion detection, firewalls, etc. This results in a highly fragmented environment, which means the CISO and their advisors can be dealing with a variety of vendors and it becomes very difficult to tightly integrate security processes and build a holistic picture of the security environment.
This separation of the technical from the strategic creates an environment where different teams are dealing with different vendors - all of whom have their own agenda. With so many people pulling in different directions the CISO's life is being made harder, not easier. There is a restriction of communications and the flow of security information is seriously inhibited. This isn't just bad for business, it is bad for security. A CISO cannot hope to have complete coverage or know whether the security maturity is as complete as it should be, or even whether the teams are talking to one another.
The CISO must have a holistic view of security maturity against industry best practice. This cannot be achieved by separating strategic thinking from technical implementation. The traditional model of hiring a management consultant who brings in security knowledge needs to be flipped on its head. Rather than turning to a management consultancy which can look at security, CISOs would be better placed partnering with a dedicated security organisation which can provided management consultants who deeply understand business and security, as well as all the other services they may require.
Security nirvana can only be achieved if a business unifies its security solutions with a trusted partner. Too many stakeholders increases the likelihood of process gaps and process gaps lead to security vulnerabilities. A single trusted provider enables greater information sharing, organisational awareness and – ultimately – better security.
Contributed by Chris Yule, senior security consultant for Dell SecureWorks