Cloud Computing should motivate Chief Information Security Officers to shift their focus from managing upward to gain board support and budget to managing across the organisation to engender broader appreciation for information security risks, concluded 25 Heads of Information Security from across Europe who attended this month’s MIS CISO Summit and Round Table in Rome, Italy.
In a workshop co-hosted by (ISC)2 (“ISC-squared”) and the Information Security Forum (ISF), the group examined how cloud computing is likely to affect skills requirements at the very top. The group warned that cloud computing has great potential to expose any weakness—professional or otherwise—that should have been addressed already.
“In recent years, the CISO has not always been aware of every activity within the business,” explained discussion leader Adrian Davis, principal research analyst, Information Security Forum. “The accessibility of cloud services and opportunity for any employee with a company credit card to be able to access a cloud-based resource will change this dynamic and require the CISO to become much more engaged with the business.” The group suggested that there was a need for top management to be more imbedded in the business, offering suggestions that ranged from “working in a matrix structure” to simply “walking the floor and talking to people.”
“I get the impression that there is a need to develop skills in counter intelligence to ensure the CISO can be aware of what people in the business are doing—not so that they can slap wrists, but so that they can better understand and engage in the discussions that are taking place,” said John Colley, CISSP, discussion leader and managing director EMEA, (ISC)2. “If we achieve this, everybody would be following good practice rather than finding ways around the barriers they believe we put in place.” One participant noted that job descriptions for CISOs already suggest the need for “Superman”, “who knows the technologies, understands threats, compliance, the business and much more”, adding “we need to develop our skills in this whole new area called cloud as well.” Most cited, however, the need to focus on sharpening risk management, business understanding and the communications skills to ensure an ability to influence, “the softer skills” that all in the room admitted the CISO should have been developing anyway. The externalisation of computing resources to the cloud threatens to expose weaknesses in security management that “already should have been addressed,” fuelling continued headlines of sensitive data leaks for some time to come.
“Managed strategically, the cloud can allow organisations to manage risks more effectively, but it can also ruthlessly expose the weaknesses in an organisation. The poorer the organisation is at managing risks, the more it is exposed,” says Davis. ISF and (ISC)2 hosted the workshop session to contribute to their respective programs of research tracking skills and security management requirements at all levels of the information security sector. The Summit offered the opportunity to explore current opinion at the top level of information security management, with participation from public sector and private companies across Europe, including British Telecom, Barclays, UBS, the Italian government, Santander, and others. “The need may be more reflective of a change in mindset rather than in skill set, which some in the room believed could be more challenging to achieve,” says Colley. There was recognition that it is not fair to educate people in IT and criticise them for not having business skills and that business schools could be a more appropriate recruitment ground for top management.
The group also noted a misplaced focus on developing contract negation skills, as unlike outsourcing arrangements, cloud services generally come with set terms and rarely involve negotiation between equal partners. Two areas that do require more development, however, are recruitment practice and the measurement of success, points that were also noted in a related panel session hosted by (ISC)2 to look more broadly at the CISO job description.
“We do not have a system for measuring performance at this level, and there is very little time for the CISO to gain credibility with the business,“ noted panellists Dr Eduardo Gelbstein, adjunct professor, Webster University. Panellist Geoff Harris, UK Management Counsel, ISSA, pointed out that recruitment practice lead by HR departments do not recognise the CISO as a senior management position. “It has to be recognised that successful executive appointments are the result of a two-way selling process between the company and the candidate, while remuneration must be linked to how the business performs as they are making serious business calls.”