(Q&A) Chief Information Security Officer: Roles and Responsibilities

This episode of Life of a CISO answers more of the questions I am commonly asked. If you want to be somewhere, it always helps to get help from someone who has already been there, and whatever problems CISOs face, I’ve already faced them.

On this episode, I contrast what a CISO does with other supervisory positions in a company.

The CIO focuses on uptime, which is usually a good metric, but fixing security can mean taking servers offline temporarily. Security engineers want to have a system that is as up to date as possible.

These two metrics can be in conflict, and it’s up the CEO to decide which to prioritize.

The CISO is the translator between the CEO and the two IT departments, and it’s his job to explain the benefits and risks of which to prioritize.

In the infamous Target breach five years ago, the CEO focused on uptime, and it led to a massive data breach. A good CISO may have been able to prevent this breach, but it’s also possible that it was inevitable; because for a good CISO, prevention is ideal, but detection is a must. Had this breach been detected early, the breach may not have been as severe. To find out more, listen to this episode of the Life of a CISO.

Show Notes:
1:32 What is a CISO?
2:55 A CISO is NOT a security engineer
4:03 Train yourself and others to always ask 2 questions
4:53 The second question: what is the risk and exposure?
4:55 What is the value/benefit/functionality when making a decision?
5:00 What is the risk and exposure by doing this
5:33 Two examples of a potential risk/reward scenario
6:38 The final question: does the value and benefit outweigh the risk and exposure?
7:07 Warren Buffett makes successful financial decisions because he weighs the downside
8:46 What is the difference between A CISO and an ISO?
10:22 For many folks, an ISO is a better fit than a CISO.
10:42 What is the difference between a CIO and a CISO?
11:34 A CISO is focused on risk, not uptime
12:48 There are situations where uptime can create risks, and the CEO decides which to prioritize
13:13 Case study: Target (retail store) breach
14:27 The CEO made a poor decision based on his incentives
15:17 The CIO normally has a big team
16:05 Evolution of the CISO role
16:19 CIO focuses on one metric, uptime
16:44 Security is confidentiality, integrity, and availability
18:14 With my predictions, I’m often right, but off on the timing
18:42 I predict that CISOs are going to become more of V-CISO (Virtual CISO)
20:42 What is the best advice I give to a CISO?
20:57 Read!
21:29 Security engineers are often paranoid and look at faults
23:21 What is the ideal background for being a CISO?
25:40 The biggest mistakes CISOs make is not being able to give up the technical side
26:58 If you are a really good CISO, what you’re doing is finding and reporting breaches
27:52 What is the main focus for a really good CISO? Prevention is ideal, detection is a must.
28:31 The problem with prevention
31:12 CISOs are always thinking like Warren Buffett