The CISO role is evolving. But for that role to be truly recognized throughout the organization, security professionals need to make some improvements. Read on to find out how to be an influential CISO.
IBM's Marc van Zadelhoff has spent the past year speaking with chief information security officers around the world. From his experience, and a recent report from IBM, he sees key areas where security leaders can improve to make a bigger impact within an organization and in influencing C-level decisions.
In order to become an influential CISO, security professionals need to:
- Find a mentor: "Make sure that either within the organization or externally you find somebody [who] really is an influencer and you're reaching out and getting ideas and guidance from that kind of a mentor," van Zadelhoff says in an interview with Information Security Media Group's Tom Field [transcript below].
- Receive external review: Many organizations will have an external party come in to look at the organization and its best practices. After the review, they'll offer the organization some reflection and tips the CISO can use to improve the company's security posture, van Zadelhoff says.
- Develop metrics: One of the biggest problems with CISOs, van Zadelhoff says, is they're often not taken seriously because they can't put metrics into place. "If they can collect the often billions of data points needed to draw up an assessment of their security and compliance posture and show that to their peers and their supervisors, that will really add credibility," he says.
- Create a risk committee: A good, influential CISO is one who has a well-established security or risk committee, van Zadelhoff explains. This allows for communication and buy-in, as well as getting concensus from top lines of the business - the CEO, CIO and CFO. "One of [the] CISOs that I work with ... does an annual off-site with his risk committee, and they really think through the priorities," he says. "Having the attention of leadership is a big difference."
In an exclusive interview about IBM's new study, van Zadelhoff discusses:
- The evolution of the CISO role;
- Characteristics of influential CISOs;
- Advice for security leaders to help them be more strategic and effective in their organizations.
van Zadelhoff has nearly 20 years of experience in strategy, venture capital, business development and marketing in the IT and security space. Currently, he is the VP, Worldwide Strategy and Product Management for IBM Security Systems - responsible for overall product management, budget and positioning for IBM's full software portfolio globally. His prior responsibilities at IBM have included leadership roles in M&A, product management and marketing in both software and services. He was a member of the executive team of Dutch-based Consul before it sold to IBM and spent the rest of his pre-IBM years in IT venture capital and strategy consulting.
TOM FIELD: So I'm eager to talk about this new report, but first, why don't you give us a little bit of context and tell us about yourself and your work with IBM, please?
MARC VAN ZADELHOFF: I'm responsible for strategy for the security division of IBM. We have a large portfolio of products and services so [I'm] steering the direction of that portfolio and working with our customers around the world. I came to IBM by way of an acquisition they did of a security company. IBM has done 12 of those and does from the basis of this division I'm in, plus a lot of the research and development work that we do. I've been here about five years and it's a real fun industry because I get to talk to customers and then try and put that feedback and input right into products and services that they can use in the field.
FIELD: You've just released this new CISO assessment. You're the co-author of this report. Give us some background on the genesis of this study and really what were its main goals?
ZADELHOFF: IBM has done a major, renewed push into security. We've been in the business for a while. After doing our twelfth acquisition in October of last year, we launched a separate division on the topic of security, so we're one of the largest players in this space. But we never had a one-focus division on the topic. That means for the last six months, as we've been ramping up that effort, we've been talking more and more to customers and we realized, like the role of the CIO 20 or 30 years ago - which was just forming at that time - the role of CISO is not a mature one. We felt as we were talking to customers that we could really lend a point-of-view from our customers and from IBM on the topic of the CISO, what that role is today and where it's headed, so that is really the genesis of it.
FIELD: What can you tell us about the key findings of the report? In what ways did they surprise you?
ZADELHOFF: First of all, some things you would expect. [For] customers after 2011 - which was a year full of breaches and public disclosures of incidents - external threats were the biggest concern point that our customers had vs. the other choices in that question: internal threats, new technologies and regulations. And it's interesting here to see external threats be on the top of that list. I think if you asked the question five years ago, people were very worried about insiders, and ten years ago people were very worried around compliance and compliance standards. So this even flow of what's on the top of mind of customers for right now is very much by a number of percentage points external threats. And in terms of the new technologies, customers are very concerned around mobility and around mobile devices and what we call BYOD, bring-your-own-device, and how to manage that.
FIELD: Did any of this surprise you or is this consistent with what you've been hearing talking with your own customers?
ZADELHOFF: Those two were consistent with what we've been hearing when we talk to customers, especially mobile devices. [It's] just a question of how do you manage those. We've been rolling out some technology in services to help customers with that problem so we know that has been around. The one that surprised me ... was that a lot of the respondents to our CISO survey did not have a CISO. Almost 50 percent did not have an official person responsible for security in their company, so that's a finding I think worth noting. Then the other one which is kind of interesting ... is that 67 percent of respondents expect spending to increase in security in the next two years. If you look at that 67 percent, within that 87 percent of those expect it to increase double digits. So many organizations still haven't put that one central CISO or security leader in place, but a vast majority are going to do a significant increase in spending in the next couple of years.
Types of CISOs
FIELD: One of the things that struck me looking at the report is that you've got three types of CISOs that you typify there. Could you describe those different types?
ZADELHOFF: Let me first tell you how we came up with the three different types. We asked all the respondents, almost 140 respondents in the global survey, to rate themselves on how prepared they were for a breach and how mature their organization was. We weren't thinking that research would head in this direction, but as we started to cluster and group the findings of those two questions, we realized that there really were three different groups of CISOs or security leaders at a respondent, and those are the groups that you're talking about that you saw in the survey.
You had what we called the "influencers," which were the most advanced in terms of their maturity and preparedness, so we said those are kind of the influencers because you can tell by some of the things we'll probably discuss next that they really are ahead. Then you have what we call the "protectors." These are good CISOs. They do a good job protecting. They're doing some of the right things, medium score on their preparedness and maturity. And then we have what we call the "responders." These folks seem to be more on the reactionary side of the spectrum. [They're] not quite prepared, feel under-prepared and not quite so mature in their organization, so we called them "responders," probably reacting to different events, crisis by crisis.
FIELD: Which would you say is the largest group by size?
ZADELHOFF: The largest group by size is the protectors, the ones in the middle. Forty-seven percent of the study fell into that and then 25 percent were the influencers - the more advanced ones - and 28 percent were the responders.
FIELD: When you look at different industries or even different global market places, do you see stark differences among the CISOs?
ZADELHOFF: That was something that I asked the team to do a lot of drilling into on the data that we had. I said, "Well surely there must be differences here by country, by size of business or by vertical." We tried. The research did a lot of work on the data that we had and we really couldn't find anything. I started thinking about it and thinking about my travels and I was in Europe recently. I've been to China and India/Australia in the last year and spent obviously a lot of time here in the U.S., and actually it's kind of true. You can talk to one bank on Wall Street and really find an influencer who has got his or her game completely together in terms of managing security, and then down the street at an equally large bank or similarly impressive company and it may be another sector [and] you see somebody totally under-prepared.
I think the reality is that either we shouldn't assume in the security industry that when you talk to a large company that they have their ducks in a row and a small company doesn't. There's a lot of diversity there along those demographic dimensions. Again, as I reflect on that in my travels, I do witness that a lot. I have been to large telecos where they've had embarrassing breaches that could have been avoided, and I've been to small companies where you realize, "Wow, they really have a good program for managing a small security team."
Evolution of the CISO Role
FIELD: One of the things you said upfront was that the CISO evolution is similar to that of the CIO and the CFO before that. Talk about that a little bit and how the paths are similar and maybe even some of the differences?
ZADELHOFF: What you're seeing with the CISO is that they have had to evolve from being kind of a geek or techie, sometimes even a black t-shirt wearing guy in the basement dreaming up all sorts of nefarious and scary scenarios, and often being ignored by the organization if you're looking back 20 years. A bit of a stark description perhaps, but it's true if we really think about where security has been. They've had to go from that to in the ideal today being both technologies-oriented but understanding the business and being able to communicate with the organization. Those things, if you look at the survey, are really important characteristics. You can't just come at it say, "We may get hacked; we may get hacked. And there are bad people trying to get into our business in these very technical malware algorithms, let me tell you about it." You need to be able to say, "I understand you're thinking about adopting cloud as a business priority, or I understand we're thinking about letting people bring their own mobile devices. I understand that may help innovation [and] that may help reduce cost, and that's a business prerogative. As a CISO, I need to be part of that business conversation and then be able to communicate with my peers, with my senior executives in the company, and most importantly out to the average employee about how to manage and mitigate risks with that business change."
And I think the CIO and the CFO went through a similar evolution where they really went from really being the techies rolling out technology to realizing that they could be the center of change, especially the CIO of adopting massive new technologies that could become the core of the company and the core of the business and that required a different personality and profile than a pure technologist in that role too.
How to Be an Influential CISO
FIELD: What I gather is that the ideal CISO is going to be the influencer and you've got 25 percent of your respondents there right now. For the other 75 percent, how do they and their organization shift to become that influencer?
ZADELHOFF: We put a profile together and that's what I like about the study. Often you read these studies and [you say], "What do I do next?" This one actually does a nice job because of the way we formulated some of the questions of allowing the reader to really make some concrete changes in their behavior and their organization to move towards influencer. Now again, I will say every organization needs to always start with a risk assessment and start with an understanding of what's needed. Being best in class in security may not be a requirement for every company out there, so you need to think about your own profile. But let me give [you] some of the main characteristics that I think responders and protectors can learn from the influencers.
First of all, the companies with influencers have a dedicated CISO. Whether in that exact title, but certainly in spirit, they will have somebody whose throat you can choke as it were on the topic of security. Often that's evolving towards the topic of IT risk so even broader than security.
The second is around influence. You see that a good influencer will have a very well-established security or risk committee and he or she will also be a regular presenter in the board meetings of that company. So this gets back to that whole topic of communications and buy-in, if you can get your fellow peers in the business, the owners of the lines of the business - the CEO, CIO and CFO - to participate in a risk committee. One of our CISOs that I work with very closely, he does an annual off-site with his risk committee and they really think through the top priorities. That's an aspect of having that committee, a broad base of support, being a regular presenter on board meetings. Having authority over budget is one that distinguishes the influencers. Having the attention of leadership is a big difference. Seventy-seven percent of influencers have the attention of leadership; only 50 percent of responders feel they do.
Another interesting one is that we found that our influencers are less focused on rolling out technology. They're actually more focused on employee education and communication, so that really [struck] us. Primary activities that they listed as top of their agenda were communication and education. Again, I think that gets to that new profile of the CISO that you need ... to have those kinds of qualities and need to be able to think about communication.
One final one is measurement. Fifty-nine percent of influencers use standardized metrics to describe and report on the performance of security. Only 26 percent of responders did. We did some more breakdowns of metrics and that's an interesting area in the study where we found a big difference between the responders, protectors and influencers.
Advice for C-Level Executives
FIELD: We've talked about CISOs and how they should read these results. How about for CIOs and CEOs who might be overseeing the CISO position or might not have a CISO position yet. How should they be using the findings of this study?
ZADELHOFF: Great question. I think if I had just a few seconds with a CIO or CEO to discuss the research findings, my advice, in a couple of words, is, "empower the CISO." Honestly, if you look at the report it's not actually about taking a massive trough of money and transferring it to the security department for them to be successful. If you look at some of the key differences between these three levels of CISOs, a lot of it is soft attributes that you as a CEO and CIO bestow upon the role. Make sure there's one person who's in charge. Make sure that they can form a committee that you join and sit on and show interest in. Make sure that you invite them to your board meetings or leadership meetings. Make sure that you participate in the communication efforts that they find so dear to their success. Make sure that you demand metrics that are standardized, just like you would of your CIO or your CFO certainly. There's setting the right expectation and giving the role the right stature to succeed. If we can get the CIO and CEO to do that, then I think [for] CISOs the table is set for them succeed. Now with that increase in attention and with that increased profile of that role, and with security being such a hot topic, comes a great amount of responsibility for our CISOs.
FIELD: You laid out very nicely the characteristics of successful CISOs. For CISOs now who are reading this research and want to see where they are today and chart a course for where they want to be tomorrow, what tactical advice do you offer them so that they can become the influencers?
ZADELHOFF: First of all, the criteria we talked about in the report are a good start. I always think that in any role make sure you have a good mentor. Make sure that either within the organization or externally you find somebody [who] really is an influencer and you're reaching out and getting ideas and guidance from that kind of a mentor. I think what we're doing with a lot of our customers is helping them with assessments around their maturity and that could be a very helpful mirror to hold up to your own organization. Get an external party. IBM does a lot of this where we come in, look at the organization, look at best practices and really try to provide some reflection for the CISO on how they can take it to the next level. We found that to be very helpful. It doesn't have to take a lot of time, but it can really allow for that change to occur, maybe that level setting with peers to do the changes needed.
Then obviously, we're IBM; we're also rolling out a lot of technologies that help with those metrics. Being able to collect the security data needed - sometimes the biggest problem with the CISO is they're not taken seriously because they can't put the metrics in place. If they can collect the often billions of data points needed to draw up an assessment of their security and compliance posture and show that to their peers and their superiors, that will really add credibility and that's what we've been doing. We've invested a lot in analytics and in dashboarding that allow CISOs to get a sense of where they stand and communicate that up and out in the organization.