The life of CISO could be really hard. His responsibilities include to predict and to protect the organization of all the risks that may affect the security of their information assets, detect and respond appropriately to security incidents, manage security infrastructure of their organization, manage all lifecycle of technical vulnerabilities and ensure compliance with laws, regulations and standards of information security.
If all this is not complex enough, they must to do it with a short budget because is really difficult to predict or even to calculate the ROI of security investments. And it’s here where we can find the ‘security paradox’: if there are no security incidents in the company, it’s because the good job of the CISO or just because there are not real threats and the company is wasting money in security? And in this crisis times, if senior management does this question, we can imagine how it will finish the most of the times.
In my opinion, the best way those CISOs can justify its budgets if by doing a risk analysis presenting the ROI as risk reduction. However, the result of the risk analysis should be presented in the senior management language; $$$. They need to establish a financial quantitative value to each risk, justifying it correctly and considering the business context of the risk. And this is other complicate point because not ever is easy for the CISO to have the information and knowledge about the business context to correctly translate security risks into business risks. And this drives us to another problematic topic in the CISOs world; too much data but lack of information. CISOs (or their teams) must to manage a lot of events from security devices, systems and applications, vulnerability scanning results, Pentest results, new vulnerabilities, new techniques, new technologies, new vendors, new standards, regulations and laws, etc..
Be able of manage all this amount of data and convert it in useful information is one of the big challenges that must afford information security departments today. To centralize, correlate and analyze on time this data is an important first step to convert it in useful security information.
Generate alerts to react on time when security incidents happen or to analyze the trends to detect anomalies is going one step further and we can say the security information is becoming security intelligence.
But this is not enough. CISOs need to do one additional step and transform the security information and intelligence into business intelligence, being able of establish quick and correct relationships between security risks and business risks. So, the true challenge for the CISO is be able to report on real time to senior management what are the business risks providing update information to them to make correct decisions having information about all the risks of their business (information security, physical security, financial risks, operational risks, etc..).
Once CISOs will have solutions to make this transformation of security data into business intelligence in an efficient way their life will be easier since their budgets will be self-justified. Or looking it from the other perspective, the senior management will have enough information to establish proper information security objectives and so, the will be able to assign the appropriate budget for the achievement of this goals.
So, in conclusion, a good CISO must be correctly balanced between technical and management skills, as well as to have a good understanding of the business being able to communicate with technical and business people meanwhile he is responsible or the information security topics where what happens today has nothing to do with what will happen next year, or what is the same, in two weeks.