Morphing role of the CISO

The Amazing Morphing Role of the CISO (RSA 2016)

shaane syed / 03.15.16

Guest blog by David Spark, Spark Media Solutions

The CISO’s job is different depending on where you are.

“We all have the same title, but we all have different jobs,” said Wendy Nather (@RCISCWendy), research director, Retail Cyber Intelligence Sharing Center (R-CISC), echoing a quote from another CISO she heard at the 2016 RSA Conference in San Francisco.

What Nather and that CISO were referring to is that differing business models and IT departments demand completely different approaches to security. Someone who works in retail has different security issues than someone who works in shipping or another who has an information business.

The business you’re in determines how you have to behave as a CISO and how you protect your environment.

One element that’s not going away for CISOs is the cloud.

“Sometimes you have no idea how much the [cloud] is part of your environment until you start doing packet captures and seeing where your traffic is going,” said Nather.

Another way to see how much of your business is exposed to the cloud is to look at procurement and see what’s getting expensed on employees’ credit cards. Cloud usage can happen before you see any charges. Given the freemium model of so many SaaS services, a CISO may have no clue that anyone is using a cloud-based product until that team goes into production and they announce they want to buy ten licenses, said Nather.

In such a situation, securing the organization isn’t about hardening your environment but rather understanding the legalese of what the cloud providers can and can’t do to protect your data.

“In a lot of ways the CISO has to manage security by contract,” said Nather.