The Top Responsibilities of a Chief Information Security Officer

On this episode of The Life of a CISO, Dr. Eric Cole discusses a common problem in businesses that a CISO has to solve: bridging the gap between executives and techies.

Techies have a certain framework for understanding problems. Typically, they focus on systems. Systems don’t have feelings. It’s an intellectual exercise. With executives, they tend to be more emotional, because they are more attuned to the customers’ needs. The two don’t always speak in the same language, and they don’t follow the same basic premises to the same conclusions. That’s where the CISO comes in.

The CISO must be a translator, not just in terms of jargon but in terms of the intended message. In effect, the CISO is a marriage counselor between the two teams.

With that in mind, the CISO must give directions in a framework that both teams can understand. The framework comes down to the following matrix: “What is the risk, what is the likelihood, what is the cost of a breach, what is the cost to fix it?” If the IT team can present these figures, then the CISO is doing his job well.

In this episode:

  • 0:05 Intro
  • 2:15 A CISO is a strategic position
  • 3:00 A CISO is a translator.
  • 5:10 No one likes your slide presentation
  • 6:25 The risk of having a business person come in and be a CISO
  • 7:02 The risk of having a security person come in and be a CISO
  • 8:33 A CISO must be both a business and security person
  • 11:33 What is the risk, what is the likelihood, what is the cost of a breach, what is the cost to fix it?
  • 11:53 Don’t be so exact that you become your own worst enemy
  • 14:20 Insurance: The industry of risk
  • 17:03 In most industries, there are groups where competitors collaborate
  • 19:00 Tricks of the trade: Rule of 3
  • 23:38 Comparing health of a person to health of an organization
  • 26:13 Practical application of the above points
  • 29:00 Wrap up