Yes!
The Chief Information Security Officer is often seen as the spoil sport who always says that the music is turned up too loud. That is unfortunate, mostly because it’s not even up to the CISO to decide on the volume.
Security controls are one way of reducing risks. This is notion that is rarely, if ever, negated. People will understand the necessity of taking measures to reduce their risk. People will look left and right before crossing the street without complaint. However, when it comes to information there are often debates about identifying and defining risks. My risks, might not be your risk and vice versa. Taking measures for someone else’s risks is perceived as annoying. To be a successful CISO one needs to help the people involved to help them understand their risk.
First example: Shared network
Within one department of an organization the priority may be keeping the network as secure as possible; within another department where changes are quickly implemented, the priority may lie in keeping the network as flexible as possible. These are opposing interests because network changes can lead to greater risk of critical mistakes being made and downtime occurring.
In this scenario, it isn’t the CISO deciding who must make concessions – it’s management. The CISO facilitates the decision -making process by ensuring that everyone understands the consequences, but it is not the CISO’s responsibility to go with option A or option B.
Second example: project details in the cloud
A group within the organization asks if project management can use a cloud application. The standard application that the organization normally uses is not appropriate for the current project because it cannot be shared with third parties. The CISO receives the question after the application has already been purchased, which results in disagreement between the head of IT who opposes the use of “shadow IT”.
In this scenario, the CISO will not be the individual making the choice about the proposed use of a cloud application. Rather, a decision will be made depending upon the project being carried out, which will need to be legally compliant (think of privacy) and appropriate in relation to other organizational departments.
Additionally, project management must be aware that they are responsible for keeping all information that is placed on the cloud secure. The CISO provides advice and poses questions such as: Who has access and who manages that access? What happens if the cloud provider faces financial liquidation? If there is a risk that all information can be lost, but the project management recognizes and accepts that risk, then the decision should not be contested by the CISO.
A third example: Can I take my laptop with me to China?
An employee travels to China on a business trip. Due to the threat of espionage and confidential company information being leaked, the company policy dictates that special laptops (without vulnerable information saved on them) must be used during international travel. But at the moment this employee needs to travel, there are no such laptops available for use. The employee wants to solve this impasse by using his personal laptop. The question is whether or not the CISO will allow it.
Again, the CISO will not make the ultimate decision about this. Project management is responsible for protecting the data confidentiality of all employees. Therefore, the CISO will ask questions like: What kind of data have you worked with on this laptop? How sensitive are they? The CISO will also explain the limits of the laptop security: the disk is encrypted, but if a national agency takes possession of the laptop, it will still be possible to extract information and even read erased files. Everything is allowed by the CISO, as long as the organization understands the consequences. In the end, this employee decided not to take the laptop with him.
Based on these three examples, it seems that the following conclusions can be made: 1) the CISO must know the organization well, and therefore know what the most pressing risks are 2) a Security Organization capable of assessing the risks and making decisions must be established. The Directors are responsible for ensuring that these conditions are met. The ISO 27001 ‘Information technology, security techniques, management system for information security Requirements' describes this in section 5.1b: Top management must ensure that the requirements of the information security management system are integrated into the processes of the organization. Security is a matter for the directors, management, and everyone in between.
The CISO simply advises.
