But the purpose of the field is simple — to keep the bad guys out and the data in. The chief information security officer (CISO), as former Michigan CISO Dan Lohrmann puts it, is simply the leader of cybersecurity within an organization.
“It’s a wide range of ways that’s implemented,” Lohrmann said. “In some shops, it’s a one-man show and they’re the same guy that’s sweeping the floors and vacuuming the rug. Most organizations wouldn’t call that the CISO — it would be the head of security or something — but in large states, like in Michigan, the CISO can have 30 people under him with two levels of management.”
The CISO’s ultimate goal is to never wake up and see the name of his organization on the front page of a newspaper. Target, eBay, TJ Maxx, Anthem, Sony and the Home Depot are just a few of the large American companies that have, for at least a few years, created a strong and unfortunate link between their brand names and the term “data breach.”
Federal and state governments have had similarly devastating publicity in recent years. The 2015 Office of Personnel Management (OPM) data breach aired more than 20 million private records, leading to hearings, strife, firings and public disillusion. It also led the agency hire Cord Chase as its first CISO in 2016.
This role has been around since the 1990s, Chase said, when the field was based strongly around compliance, whereas today, security leaders are adopting a more operational stance.
“It was ‘IT security,’ ‘IT-security,’ it was ‘security,’” recalled Chase. “Then it all of a sudden this cybersecurity thing started to come in and then it was ‘cyber security,’ then ‘cyber-security’ and now it’s just cybersecurity. I think if you really look at that path of how that world has changed, you’ll see how the modern position and perception of those individuals has changed as well. ‘Hey, look, we smashed two words together and made it one,’ and now it’s in the dictionary and OPM policy.”
It’s the CISO’s job to comply with standards and create an environment where others do the same, Chase explained, but to do the job well requires a greater degree of adaptability and critical thinking.
“When I look out in the landscape of all the security officers out there, I see a lot of new up-and-coming individuals, and I see a lot that follow the puzzle that has been given to them, and then just recreate that puzzle every week and every month and every year,” he said. “In my role, personally, I always want to push the envelope … and make sure we were taking all of that guidance, all those recommendations, all that policy, and trying to do our best to apply that to our environment to make sure the risk was manageable for the business unit."
The CISO, he said, "has to be somebody who is business savvy, very politically smart, as well as somebody that understands all the pillars of cybersecurity. My pillars are continuous monitoring, security operations and engineering, governance, and policy.”
In a large organization like OPM, the CISO authority presides over several groups. The continuous monitoring group ensures documentation is compliant and continuously watches IT systems. A security operations group looks for vulnerabilities and performs penetration testing, while a forensics team validates and provides rapid response to security events. A 24/7 monitoring center watches the organization’s monitoring tools, while a liaison group keeps the continuous monitoring group abreast of security operations. A policy and auditing group creates memos and keeps the organization aligned with the latest guidelines and standards from the likes of NIST, while a governance group ensures that the organization’s structure is efficient, effective and devoid of wasteful overlap.
Before joining OPM, Chase said he didn’t fully understand the value of policy, but encouraged CISOs to embrace its power.
“I saw policy as a lot of words on a piece of paper,” he said. “I soon realized, if policy is written effectively, how effective it is to help not only the individuals and the customers within the agency understand where they are, but also helps enforce a lot of the tools and governance we have inside. So if somebody is doing something they shouldn’t be doing, we can always cite a very modern policy to help them understand why they shouldn’t be doing that.”
The CISO has one of the most difficult jobs in a given organization, because cybersecurity is evolving quickly, and with each new technology or product introduced, 10,000 new potential vulnerabilities arise. Keeping track of all the new tools available to mitigate threats is more than a full-time job.
As the saying goes, “It’s not a matter of if an organization will be attacked, but when.”
And it’s the CISO’s job to minimize the damage when that day comes.