govciooutlookapac
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
September - 20228GOVERNMENT CIO OUTLOOKIN MYOPINIONCHANGING THE MODELTHE ROLE OF THE CISO IN THE NEXT GENERATION OF CYBER SECURITYShane M. Barney, Chief, Information Security Division, USCISByn both the public and private sectors, there is considerable emphasis placed on the value of leadership. A lot of time and energy is spent on defining it, improving it, quantifying it, and ensuring we have it in all the right places. Yet, little is often said of the importance of radically redefining leadership in times of great change. As Reed Hastings, cofounder and CEO of Netflix, points out, we should not "...be afraid to change the model." If you want to be a leader, you must be willing to question everything and drive change when warranted. To say cyber security is in a state of considerable flux would be a gross understatement of fact. While those us in cyber security are not surprised by this, recent incidents like SolarWinds, the Colonial Pipeline attack, Print Nightmare, and others have made it frontpage news for everyone. If ever there was a time to radically redefine the nature of cyber security leadership, it is now and it extends across both the public and private sectors. In fact, it has to. The chief information security officer (CISO) is the executive directly responsible for cyber security. This is true of the federal government and increasingly so for the private sector. The CISO reports to the chief information officer (CIO). Some have suggested that this reporting structure is fundamentally flawed, citing the real possibility of a conflict between the two officers over IT resources needed to meet mission goaling becoming prioritized over those needed to secure the enterprise. Under the current structure, CIOs and CISOs are expected to iron out these discrepancies by striking a balance between the risks and the mitigations necessary to abate those risks. This dynamic exemplifies a critical requirement for security programs in the past and still today, namely the importance of collaborative leadership. In a perfect world, all the options are put on the table and assessed, a decision is made, and the organization moves forward. However, for most organizations, the CIO holds all the cards and can decide to accept the risk or simply ignore it, regardless of consequences. Unfortunately, there are too many cases in which this has happened. In a world where the threat landscape is evolving at the scale and speed of cloud technology, we can no longer depend on a CIO/CISO model created in the early years of the internet when "hacking" was more a movie pilot than a concern of C-Suite.I have always seen security as an enabler of mission, not a detractor. Under such a notion, the CISO is more accountable to the business side of an organization and less so to the IT department head. A collaborative CIO/CISO relationship is still critical but no longer sufficient. Cyber in today's world has evolved to the point that the security posture of a business is as much its brand as any product or service the business produces. CISOs, then, are no longer just "information security specialists." We need to redefine the future of cyber security leadership. This new definition needs to encompass, and be applicable to, more than just the public sector. Indeed, as current technology trends IShane M. Barney
< Page 7 | Page 9 >